This guide describes the technical requirements necessary to…
- integrate your existing domain logins with iQmetrix products with Third Party Authentication (3PA) and
- manage users in iQmetrix platform services with Automated Provisioning (Auto-provisioning)
Who Is This Guide For?
You may be interested in this guide if you want to…
- Simplify or automate your IT processes
- Reduce the amount of time needed to manage users, credentials and access rights
- Allow your users to log into RQ with their Identity Provider credentials
- Manage your users in a single place
3PA vs Auto-Provisioning
Third Party Authentication (3PA) is an iQmetrix term referring to the ability of a user to be authenticated by any iQmetrix product using the client’s Identity Provider.
Automated Provisioning or auto-provisioning is a process for managing users automatically. Third Party Authentication (3PA) is required to enable auto-provisioning.
3PA involves creating a trusted relationship between two systems which can enable your users to log into iQmetrix products with their Identity Provider credentials. This is commonly known as Single Sign On.
Single Sign On (SSO) permits a user to enter one name and password to access multiple applications.
One popular example of SSO is the “Log In With Facebook” button used by many websites to allow users access to a website without creating an account.
- Sarah’s Company uses RQ with Third Party Authentication and Auto Provisioning enabled using an Identity Provider for authentication
- Sarah gets a promotion and is given a manager security role within the Identity Provider
- She enters her credentials in RQ, which asks the Identity Provider “is this name/password valid?”
- The Identity Provider confirms and says “also, Sarah now has a manager security role”
- RQ can then update the security for Sarah, so she is able to access areas of RQ restricted to managers
Enabling Third Party Authentication will limit your ability to:
- Access iQmetrix Business Intelligence (BI)
- Manage passwords in iQmetrix Products
- Obtain support from iQmetrix if there are problems with the Identity Provider
While Third Party Authentication can provide your users access to iQmetrix products, it does not have the ability to manage what those users can see or do once they are logged in.
Manging users can be done through…
When combined with 3PA, Automated Provisioning allows you to manage users in iQmetrix services by auto-provisioning them from your existing Identity Provider.
For troubleshooting errors and problems, see Automated Provisioning FAQ.
Automated Provisioning requires your organization to have…
- Third Party Authentication enabled
- A domain name that is unique within iQmetrix’s systems
You will need to work with your Account Manager to map your Identity Provider roles to Security Roles.
To maintain this mapping, you will need to update iQmetrix Hub when new roles are added or existing roles are updated, for more information see Hub Authentication Setup. If using an RQ version earlier than 6.4, you also need to maintain RQ to Hub security role mappings, for more information see Security Mapping Setup.
In addition, you will need to set and maintain a mapping using the ClientEntityId property on CompanyTreeNode resources. This can be done using the Company Tree API or by updating the External Node Identifier in Company Setup in iQmetrix Hub.
All user information that is supplied with authentication should be maintained in your Identity Provider.
Enabling Automated Provisioning will result in…
- A slight configuration delay during login
- Limited ability to use the User Manager API - changes that do not match the Identity Provider will revert back the next time the user logs in
- An error message if there is a problem configuring a user, the message will indicate how to solve the problem
iQmetrix supports OAuth 2.0 and WS-Trust for Third Party Authentication and Automated Provisioning, see the guides below for more information.