Roles

These are the roles that are needed:

  • Admin

SAML Authentication

iconik supports authentication via SAML2.0 and this allows you to connect to external authentication such as OKTA, OneLogin, Microsoft ADFS or Google G-Suite.

Overview

With iconik's SAML 2.0 integration you can tie authentication and authorization of your users to an external data source, such as an Active Directory or other enterprise directory service. This guide will explain how to set up SAML 2.0 integration with OKTA, Microsoft ADFS and Google G-Suite. If you need assistance configuring authentication with another source then please contact support.

Terminology

This section introduces some SAML terms and what they mean in iconik.

Identity Provider (IdP) : An entity which authenticates the user and provides claims about the users identity and attributes.

Service Provider (SP) : An entity which provides a service to the user (iconik) in this case.

Principal : The iconik user

Claim : An attribute of the user's identity, such as a first or last name, an email address or group membership.

Security considerations

One benefit with setting up SAML integration is that iconik only has access to the email, name and group membership of the user. The user's password or other authentication token is only handled by the user's browser and the IdP.

No firewall needs to be opened to transfer the authentication information from the IdP to iconik. All information is transfered through the user's browser so as long as the user can access both the IdP and iconik they can log in. This means that the endpoint used by the IdP can reside on your internal network without the need to expose it to the Internet.

Configuration

SAML requires setup both on the IdP side and the SP side of an integration. Your IdP likely provides its own documentation on how to configure the SAML 2.0 integration but but we provide walk-throughs for the most common Identity Providers.

New iconik configuration

Login to iconik then:

  1. Click on ADMIN in the top navigation.
  2. Choose Settings from the left navigation bar.
  3. Choose Identity Providers from the menu that appears.
  4. Click + NEW IDENTITY PROVIDER.
  5. Choose the AI provider from the list. If yours isn't available choose GENERIC.
  6. Fill in the parameters as provided by the provider.
    1. Alternatively upload a IDP metadata XML
  7. Click

Learn more