Overview
This guide describes the technical requirements necessary to…
- integrate your existing domain logins with iQmetrix products with Third Party Authentication (3PA) and
- manage users in iQmetrix platform services with Automated Provisioning (Auto-provisioning)
Who Is This Guide For?
You may be interested in this guide if you want to…
- Simplify or automate your IT processes
- Reduce the amount of time needed to manage users, credentials and access rights
- Allow your users to log into RQ with their Identity Provider credentials
- Manage your users in a single place
3PA vs Auto-Provisioning
Third Party Authentication (3PA) is an iQmetrix term referring to the ability of a user to be authenticated by any iQmetrix product using the client’s Identity Provider.
Automated Provisioning or auto-provisioning is a process for managing users automatically. Third Party Authentication (3PA) is required to enable auto-provisioning.
3PA involves creating a trusted relationship between two systems which can enable your users to log into iQmetrix products with their Identity Provider credentials. This is commonly known as Single Sign On.
Single Sign On (SSO) permits a user to enter one name and password to access multiple applications.
One popular example of SSO is the “Log In With Facebook” button used by many websites to allow users access to a website without creating an account.
Example
- Sarah’s Company uses RQ with Third Party Authentication and Auto Provisioning enabled using an Identity Provider for authentication
- Sarah gets a promotion and is given a manager security role within the Identity Provider
- She enters her credentials in RQ, which asks the Identity Provider “is this name/password valid?”
- The Identity Provider confirms and says “also, Sarah now has a manager security role”
- RQ can then update the security for Sarah, so she is able to access areas of RQ restricted to managers
Implications
Enabling Third Party Authentication will limit your ability to:
- Access iQmetrix Business Intelligence (BI)
- Manage passwords in iQmetrix Products
- Obtain support from iQmetrix if there are problems with the Identity Provider
Managing Users
While Third Party Authentication can provide your users access to iQmetrix products, it does not have the ability to manage what those users can see or do once they are logged in.
Manging users can be done through…
- iQmetrix applications such as RQ
- User Manager API
- Hub
- Enabling Automated Provisioning
Automated Provisioning
When combined with 3PA, Automated Provisioning allows you to manage users in iQmetrix services by auto-provisioning them from your existing Identity Provider.
For troubleshooting errors and problems, see Automated Provisioning FAQ.
Requirements
Automated Provisioning requires your organization to have…
- Third Party Authentication enabled
- A domain name that is unique within iQmetrix’s systems
You will need to work with your Account Manager to map your Identity Provider roles to Security Roles.
To maintain this mapping, you will need to update iQmetrix Hub when new roles are added or existing roles are updated, for more information see Hub Authentication Setup. If using an RQ version earlier than 6.4, you also need to maintain RQ to Hub security role mappings, for more information see Security Mapping Setup.
All user information that is supplied with authentication should be maintained in your Identity Provider.
Implications
Enabling Automated Provisioning will result in…
- A slight configuration delay during login
- Limited ability to use the User Manager API - changes that do not match the Identity Provider will revert back the next time the user logs in
- An error message if there is a problem configuring a user, the message will indicate how to solve the problem
Integration Options
iQmetrix supports Windows Server 2012 R2 ADFS and Okta for Third Party Authentication and Automated Provisioning, see the guides below for more information.