A new feature has been added to Identity Service. In addition to an account password, two-factor authentication prompts a user to enter a one-time password, usually from a separate device such as a smartphone. By enabling this feature, you maximize protection against unauthorized access to your account.
This is a highly effective way to protect your staff members because even if a password is stolen, it will not be enough for an intruder to gain access to a system.
To configure a two-factor authentication, complete the following steps:
- Log in to the Ingram Micro Cloud Marketplace.
- In the browser’s address bar, enter your URL https://xx.cloud.im (Where “xx” is the two-letter Cloud Marketplace country code, that is, US, UK, CA, IN, MX, and so on).
- Click the LOG IN button at the top right corner of the page.
- For partners after March 2020: click LOG IN WITH CMP ACCOUNT to log in to your Reseller Control Panel.
- For partners before March 2020: click LOG IN WITH IMONLINE to log in to IMONLINE single sign on. (For authentication instructions, refer to this guide.)
- Go to the Reseller Control Panel by clicking the Control Panel link.
- Click the Classic Panel link to switch to the Classic Reseller Control Panel.
- In Classic Reseller Control Panel, go to Services > Identity Service > Password Policy.
- Specify the following password-related settings under:
- Password policy for your own users: to enable two-factor authentication for your staff members
- Password policy for child account users: to enable two-factor authentication for your end customers
- Two-Factor Authentication
- Enable: If selected, a two-factor authentication is enabled.
- One Time Password Type: Select Time Based or Counter Based.
- Look-ahead Window:
- For Time Based: Specify how many intervals ahead should the server try to match the hash.
- For Counter Based: Specify how many counters ahead should the server try to match the hash.
- Initial Counter (for Counter Based only): Specify the value of the initial counter.
- Log out and log in again to configure integration with a Two-Factor Authentication application on your smartphone.
Setting Up Integration with Azure AD Using SAML
IDP version 1.2-71 is required for integration with Azure AD.
Step 1 - Choose a Brand
- Enable the Identity Service.
- Select an existing brand for which you plan to set up the integration. For example, "mybrand.com".
Step 2 - Create an Enterprise Application in Azure AD
- Go to Microsoft Azure portal, select your tenant and open Azure Active Directory from the menu on the left.
- Select Enterprise applications and click New application.
- Choose Non-gallery application and specify its name as "oss-brand-<brand domain>".
- Select Users and Groups, click Add user and add the "CanSSOtoCBC" group to allow Azure AD users of this group to log in to your Control Panel.
- Select Single Sign-On, then choose the SAML SSO method. In the Basic SAML Configuration tile, enter the following values:
Identifier (Entity ID)
Reply URL (Assertion Consumer Service URL)
Sign on URL
(Where: “<brand_id>” is the brand identifier in the system).
- Go to the SAML Signing Certificate tile and download the Base 64 SAML Signing Certificate to put on a management node.
- Go to the Set up oss-brand-mybrand.com tile and copy the login URL value from it.
- To sum up, you must obtain the following parameters from Azure AD:
Step 3 - Configure External IDP Service
- Log in to the Cloud Marketplace and go to the Control Panel, then go to Services > Identity Service.
- In the External IDP Service tab, select a brand.
- Check the External IDP service enabled checkbox and specify these parameters:
External IDP Login URL
The Login URL value from Step 2
External IDP Logout URL
The Login URL value from Step 2
External IDP display name
A human-readable name
External IDP certificate in PEM format
-----BEGIN CERTIFICATE----- MIIDjjCCAnYCCQCErQYi+gB/0jANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC .... -----END CERTIFICATE-----
The Certificate (Base64) value from Step 2
External IDP username SAML assertion attribute
The SAML assertion attribute that designates the user log-in name in OSS
Step 4 - Create a User
Now, you can create a user. The user log-in name must be equal to the value of the SAML assertion attribute set for External IDP username SAML assertion attribute in the previous step.
Important: Users are not created automatically; they must be created beforehand.