Identity Provider Connector (IdP Connector)

Some online services (also known as "service providers") allow you to log in using third-party online services (also known as "identity providers").

Identity Provider Connector (IdP Connector) of ESA enables adding two-factor authentication between any cloud service (service provider) and identity providers, which use SAML standard.

Service and Identity Provider using SAML standard

1.There is always a Service Provider (SP) and an Identity Provider (IdP), and they need to know about each other. For example, the SP needs to know the metadata URL of the IdP and vice versa.

2.The user goes to the SP to log in but is redirected to the IdP.

3.After successful login to the IdP, the user is redirected back to the SP with signed information about their identity.

4.The SP verifies the signature and then reads the user information, also called "claims".

Some services (SP, IdP) provide their configuration (URLs, certificate details) as SAML metadata file.

 

When ESA IdP Connector is implemented between a service provider and identity provider (later called "original identity provider"), the communication roles are as follows:

The Service Provider (SP) uses ESA IdP Connector as the identity provider (IdP)

The original IdP uses ESA IdP Connector as the SP

ESA IdP Connector handles the request from the SP and contacts the original IdP to verify the first factor

ESA IdP Connector provides 2FA interface to verify the second factor

esa_icp

Requirements

ESA Identity Provider Connector (ESA IdP Connector) installed

Identity provider (IdP) and Service provider (SP), both using SAML standard

All certificates involved in the communication (singing certificate, decryption certificate, SSL certificate) must be valid

 

Identity providers tested with ESET Secure Authentication

OpenAM

Okta

Azure AD

AD FS

Shibboleth

Keycloak

 

Service providers tested with ESET Secure Authentication

Dropbox

Confluence

 


note

Custom logo

If you want a custom logo to be displayed in the screen waiting to enter OTP, or approve a notification instead of the default ESET Secure Authentication logo, follow the steps below. All the steps are performed on the computer where compatible ESA component (Web App plugin, AD FS protection, Identity Provider Connector) is installed.

1.Save the desired logo as a .png image file. Recommended maximum dimension is 350px x 100px (width x height).

2.Place the logo to C:\ProgramData\ESET Secure Authentication\Customization\ and name it "logo.png".

 

Proceed to the configuration of Identity Provider Connector in ESA, or see our configuration examples.

Instructions to replace ESA IdProvider Connector certificate