+1 978 658 9387    Login  
Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×
  • IAM
  • Configure Multiple IDPs

Setup Multiple IDPs login using IDP Selection Page

Any application by default redirects to the default IDP that has been selected in your tenant.

This is set to miniOrange Internal Directory when you create an account. If you want users to login with a specific external IDP for your application that is separate from the default IDP, you can select the Primary Identity Provider option that can be found in different app configuration screens.

If you want to use multiple Identity sources to login into your application. There are a few ways miniOrange provides to achieve this.

  • Domain Mapping () : With this setup, users can enter their email address or domain, which will be matched against a pre-configured mapping in the Identity Providers configuration, allowing them to be authenticated by the IdP associated with that domain.
  • IdP Selection Page () : Also referred to as the discovery flow, this page is displayed to users when they initiate the login process, allowing them to select their Identity Provider.
  • URL Parameters: If in the SSO request, a parameter (sourceId) is added which specifies the IDP identifier in miniOrange, we can skip the Domain Mapping and IDP Selection Page and redirect the user to the specified IDP directly. An example is given below which is supposed to redirect the user to ADFS. https://<organisation-name>.xecurify.com/moas/idp/openidsso?sourceId=ADFS

Configuring Domain Mapping Flow

The steps across different app types are the same. You can edit your Identity Provider or External Directory settings and add domain in the Domain Mapping field as shown in the screenshot below:

  • Login into miniOrange Admin Console.
  • From the left navigation bar select Identity Providers >> Add Identity Provider.
    • SSO: Add Identity Provider to configure SSO

  • Go to Domain Mapping field under each IdP (such as SAML, OAuth, JWT, etc.), where admins can enter domains separated by commas (e.g., miniorange.com or xecurify.com), as shown in the screenshot. Users logging in from any of these domains will be redirected to the specific IDP for authentication.
    • SSO: Scroll to Domain Mapping

  • Click on Save.

Please note the following rules for Domain Mapping Flow:

Default IDP Domain Found in Any IDP? Is Domain mapping present in default IDP? Resulting Behaviour
miniOrange NO NA Credentials will be authenticated against miniOrange
miniOrange Yes NA Credentials will be authenticated against the specific IDP where domain is mapped
Identity Provider or External Directory Yes Yes Credentials will be validated against the specific IDP
Identity Provider or External DiIrectory NO NO Credentials will be validated against the Default IDP
Identity Provider or External Directory NO Yes Users will see an error of invalid domain entered


IdP Selection Page

miniOrange provides you a granular control of showing configured Identity Providers in the selection page. For each IDP configuration, you will have to enable the Show IDP to Users option in identity providers. The steps are different for different IDP types:



While configuring the SAML application, we will need to change the SAML Login URL in your application. Please note that if your application expects a Metadata File/URL to be imported, we will have to manually change the SAML Login URL.

Below are the steps to find the new SAML Login URL for IDP Selection Page:

  • In the miniOrange admin dashboard, go to Apps >> Applications.
    • Single Sign-On (SSO) Click Apps

  • Search for your app and click on the icon ' ' >> Metadata in Actions menu against your app.
    • Go to Metadata SAML SSO

  • Here you will see 2 options, if you are setting up miniOrange as IDP copy the metadata details related to miniOrange, if you required to be authenticated via external IDP's (Okta, Microsoft Entra ID, Active Directory, ADFS, OneLogin, Google Workspace) you can get metadata from the 2nd Section as shown below.
    • Single Sign-On (SSO) Get Metadata details

  • Scroll down and find the last URL mentioning SAML Login URL (IDP Selection Page).
    • Single Sign-On (SSO) Scroll to SAML Login URL

  • You can configure this SAML login URL in your application and during SSO it will show you a list of configured IDPs.

While configuring any OAuth /OpenID Client application, there are two options.

  • If you’re using the OAuth flow, we will need to select the specific authorization endpoint to see an IDP selection page during login. Please follow the below steps:
    • In the miniOrange admin dashboard, go to Apps >> Applications.
      • Single Sign-On (SSO) click Apps

    • Search for your app and click on the icon ' ' in Actions menu against your app.
    • Click on OAuth Endpoints.
      • select OAuth Endpoint OAuth SSO

    • From the Authorization Endpoint, select the last one as shown in the image below:
      • Go to Authorization endpoints OAuth SSO


  • If you’re using OIDC and want to use the well-known configuration, you can follow the below steps:
    • Go to miniOrange admin dashboard, and navigate to Apps >> Applications.
      • Single Sign-On (SSO) click Apps

    • Search for your app and click on the icon ' ' >> Edit in Actions menu against your app.
      • Select Edit OAuth SSO

    • Scroll down to the bottom and click on Show Customize OIDC Discovery Response.
    • This will show you three options, select miniOrange as Broker with Discovery Flow.
      • Select miniOrange as Broker with Discovery Flow from dropdown OAuth SSO

    • Click on Save and on the next screen, click on three dot icon ' ' >> OAuth Endpoints beside your app.
      • Click on Save OAuth SSO

    • Use the Discovery Endpoints for the well-known configuration endpoint in your application.
      • Copy Discovery Endpoint OAuth SSO

  • Go to miniOrange admin dashboard, and select Apps >> Applications.
    • In miniOrange dashboard - Click Apps

  • Click on the icon ' ' >> Edit against the concerned JWT application.
    • Click on icon > choose Edit - JWT Application

  • Scroll down to the very bottom and select the Discovery Endpoint as the SSO URL in your application.
    • Select Discovery Endpoint as SSO URL - JWT Application

  • When users attempt to log in to any app, they will see this IDP selection page, as shown in the image:
    • Click on icon > choose Edit - Users attempt to login any app



Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products

Single Sign-On

Seamless login for workforce and customer identity to cloud or on-premise apps

Learn more

Multi-factor Authentication

Secure access for identities with an additional layer of authentication

Learn more

Adaptive Authentication

Block or grant user access based on IP, Device, Time & Location

Learn more

Lifecycle Management

Manage & automate user provisioning and deprovisioning to apps

Learn More