[00:00] In this video, we'll take a look at the steps needed to create an identity provider and the available properties. Identity providers, or IDPs for short, create, maintain, and manage identity information for principals while providing authentication services to applications within a federation or distributed network. We can connect to IDPs to allow users to log into Ignition using credentials stored within those IDPs, and the IDPs will handle the authentication. To start, I'll navigate to Platform > Security > Identity Providers. Ignition automatically creates an identity provider tied to the default user source. To create a new one, I'll click the Create Identity Provider button. Here we can connect to these three types of identity providers: Internal, Open ID Connect 1.0, and Security Assertion Markup Language 2.0. We'll look at the properties for each, but let's start with the Internal IDP. Every IDP connection we create will have these general properties in common, which are pretty self-explanatory.

[01:04] The provider type here is selected from the previous page. Now, for the property specific to internal IDPs. Internal IDPs use Ignition user sources for authentication, which can be selected from this dropdown. Check out our user source videos if you'd like to see how to create or configure those. Beyond this, we can define the time it takes before a session will expire due to inactivity, we can configure an expiration for remember me selections, and we can choose whether users must authenticate with username and password, badges, or both. For the other two identity provider types, the configuration will be specific to your setup, but we can go over the general requirements first. Before configuring the Ignition connection, you'll need to be registered as a client. Your specific identity provider will have its registration workflow, but they'll most likely request something called a return URL or a redirect URI. These paths utilize your gateway address or host name and depend on the type of provider. I'll show the format of these on the screen now. Once registration is complete, the provider should generate a client ID and secret for Ignition, which will be needed for the connection.

[02:08] Let's take a look at the properties for Open ID Connect, or OIDC, for short. The easiest method for creating this connection would be to import the metadata directly from the provider via a URL to a configuration document or JSON file. After importing, you'll only need to add the client ID and secret manually. However, the imported data can be revised if needed. That data will include things like the URLs for the authentication and token endpoint, the issuer, or the entity that issue a set of claims, and a list of signing keys to validate signatures. Again, these things will depend on your setup, so it's best to reference your provider. The security assertion markup language, or SAML, connection also has the ability to import metadata from the provider for ease of use, and that data can be revised as well. The data includes things like IDP Entity id, the SSO service URL, and signature verifying keys and certificates.

[03:04] Its values will probably require that you refer to information from your third party IDP. I'll include a link to our user manual pages with examples of connecting to both an OIDC and a SAML IDP for your reference. I'll go back and select the internal provider again to set up a quick example. I'll call this IDP "My IDP", and I'm gonna link it to my user source that I've already created. I'll leave the other properties on the default values, and then I'll click Create Identity Provider. Now it'll show up on my list of identity provider resources, and it can now be selected as my method of authentication anywhere that uses IDPs.