Configure Unifi Identity Enterprise for Omni
How to configure Unifi Identity Enterprise for Omni using SAML.
Last updated
How to configure Unifi Identity Enterprise for Omni using SAML.
Last updated
This section describes how to use Unifi Identity Enterprise (here forward UIIE) SSO with Omni via SAML
First, login to the UIIE Manager portal and navigate to the SSO Apps section in the left menu.
Next, Add a new app. Choose “Add Custom App”
Next, click Add on the “SAML 2.0” option for Sign-on Method
You’ll now be in the Add SAML 2.0 App screen where we’ll define the app.
Name
Omni
A descriptive name for the Web App
Icon
<your choice>
Upload an icon of your choosing
Single Sign-On URL
https://<fqdn for omni>/saml/acs
The fully-qualified domain name at which your omni instance will reside
Audience URI (SP Entity ID)
https://<fqdn for omni>/saml/metadata
The fully-qualified domain name for metadata retrieval
Default Relay State
Leave this blank
Name ID Format
Unspecified
Unspecified works, you can probably also choose emailAddress
App Username
Works best with emails as usernames however prefixes might work too
SCIM Connection
Off
Not used
After entering the above values and clicking the “Add” button, you’ll be taken to another screen with some details. We don’t need anything from here, we’ll get info we need later after further configuration, so just click “Done” to proceed.
You’ll now be on the screen to manage the app, here you’ll want to assign users/groups according to who you would like to have the ability to login to Omni. To start with, you probably only want to assign the person who will be the primary admin, as the first user to login will be granted that role in Omni. Therefore, best practice would be to assign your primary admin, have them login to Omni, then come back into the app here and assign any other users who should have access.
Once you’ve assigned the user(s) accordingly, click the “Settings” bubble at the top of the screen as some final configuration is needed here.
Expand the “Sign On” section at the bottom of the settings page via the “Show More” down arrow.
At the bottom of this section, you’ll see an “Attibute Statements” block, here the mappings from UIIE to Omni fields needs to be entered as below. Use the “Add Another” button to create new ones.
Unspecified
The user’s email address
firstName
Unspecified
First Name
The user’s first name
lastName
Unspecified
Last Name
The user’s last name
Lastly, you’ll need the IDP Metadata file which can be obtained via the View Setup Instructions link or downloaded as an xml file via the Identity Provider metadata link; both of which are slightly further up the page.
A copy of this file needs to be on the host which will run the Omni container as we’ll feed it in to the container at runtime. You can copy paste contents or download/upload the file whichever is easiest. For the remainder of this guide, we’ll assume this file ends up at the following location on your container host: ~/uiieIDPmetadata.xml
This completes the configurations required in UIIE
To get Omni to use UIIE as a SAML provider, the following flags should be passed to Docker & the Omni container on launch.
Docker
-v $PWD/uiieIDPmetadata.xml:/uiieIDPmetadata.xml
Make available the IDP metadata file in container
Omni
--auth-saml-enabled=true
Enable SAML authentication.
Omni
--auth-saml-metadata-/uiieIDPmetadata.xml
The path to the IDP metadata file.
For example;
Copy
Unfortunately UIIE does not expose group attributes, so you will have to manually assign Omni groups/roles to the users as they are created on first login.