Manage IdP Profile Settings

Table 1. Profile Settings
Setting	Description
Domain	The domain used by the IdP to manage and authenticate user identities.
Description	A brief summary of the IdP profile.

Table 2. IdP Connection Settings
Setting	Description
IdP Entity ID	The IdP unique identifier URL. URLs must begin with `https`.
SSO Binding	Select HTTP POST to send messages within the body of an HTTP POST request. Select HTTP Redirect to send encoded messages as query parameters in the URL of an HTTP GET request. Data is visible in the URL and is limited by the maximum URL length supported by browsers and servers.
SSO URL	The endpoint where SSO authentication requests are sent. URLs must begin with `https`.
SSO Sign Request	Select SSO Sign Request to enhance SSO security. By signing the SSO request, you ensure its authenticity and integrity, confirming that it has not been tampered with.
SLO Binding	Single Logout (SLO) allows users to sign out from multiple applications or services with a single action. Select HTTP POST to send messages within the body of an HTTP POST request. Select HTTP Redirect to send encoded messages as query parameters in the URL of an HTTP GET request.
SLO URL	The endpoint where logout requests are sent to start the SLO process. This URL ensures that when a user logs out from one service, they are also logged out from all connected services. URLs must begin with `https`.
SLO Response URL	The endpoint where the Service Provider (SP) sends logout response messages after receiving a logout request from the IdP. This URL is used to confirm the completion of the SLO process. URLs must begin with `https`.
Verification Certificate	The digital certificate used to verify the authenticity and integrity of messages exchanged between the IdP and SPs. To update the verification certificate for this IdP profile, select , and then choose an existing certificate from the drop-down list. Alternatively, select Manage IdP Profile Certificates to import a new certificate.

Table 3. Attribute Mapping Settings
User Profile Attribute	SAML Attribute
First Name	The URL or endpoint where the IdP provides the user's given name.
Last Name	The URL or endpoint where the IdP provides the user's family name or surname.
Email	The URL or endpoint where the IdP provides the user's email address.
Group	The URL or endpoint where the IdP provides the user's group memberships.
Group Name Mapping	Specifies how group names from the IdP are translated, or mapped, to the corresponding group names in ExtremeCloud IQ: Select the IdP Group, ExtremeCloud IQ Group, and Site(s) for each group name map. Select Add a group name mapping to add a new group map row. Select to delete a group map. Select and drag the row to reorder the group mappings. The first group that the user matches the rule, in the order, the process stops. Rules are enforced top down, once a user is in the first group in a rule, the Determine what action ExtremeCloud IQ should take for users that do not match a defined group name mapping: Deny user login. Allow user login and assign a default user group (select a default group). Note: When defining Group Mappings for the Operator, Monitor, Help Desk, Observer, and Installer roles you must define sites to view managed devices. Administrators have global oversight, so site-specific group mappings are ignored. Sites are ignored for Guest Management accounts. However, Guest Management accounts must be added to a Credential Distribution group to view and create guest accounts, see Add a Credential Distribution Group.