A new feature has been added to Identity Service. In addition to an account password, two-factor authentication prompts a user to enter a one-time password, usually from a separate device such as a smartphone. By enabling this feature, you maximize protection against unauthorized access to your account.

    

This is a highly effective way to protect your staff members because even if a password is stolen, it will not be enough for an intruder to gain access to a system.


To configure a two-factor authentication, complete the following steps:

  1. Log in to the Ingram Micro Cloud Marketplace.
    • In the browser’s address bar, enter your URL https://xx.cloud.im (Where “xx” is the two-letter Cloud Marketplace country code, that is, US, UK, CA, IN, MX, and so on).
    • Click the LOG IN button at the top right corner of the page.
      • For partners after March 2020: click LOG IN WITH CMP ACCOUNT to log in to your Reseller Control Panel.
      • For partners before March 2020: click LOG IN WITH IMONLINE to log in to IMONLINE single sign on. (For authentication instructions, refer to this guide.)
  2. Go to the Reseller Control Panel by clicking the Control Panel link.
  3. Click the Classic Panel link to switch to the Classic Reseller Control Panel.
  4. In Classic Reseller Control Panel, go to Services > Identity Service > Password Policy.
  5. Specify the following password-related settings under:
    • Password policy for your own users: to enable two-factor authentication for your staff members
    • Password policy for child account users: to enable two-factor authentication for your end customers
    • Two-Factor Authentication
      • Enable: If selected, a two-factor authentication is enabled.
      • One Time Password Type: Select Time Based or Counter Based.
      • Look-ahead Window
        1. For Time Based: Specify how many intervals ahead should the server try to match the hash.
        2. For Counter Based: Specify how many counters ahead should the server try to match the hash.
      • Initial Counter (for Counter Based only): Specify the value of the initial counter.
    • Log out and log in again to configure integration with a Two-Factor Authentication application on your smartphone.

Setting Up Integration with Azure AD Using SAML

IDP version 1.2-71 is required for integration with Azure AD.


Step 1 - Choose a Brand

  1. Enable the Identity Service.
  2. Select an existing brand for which you plan to set up the integration. For example, "mybrand.com".

Step 2 - Create an Enterprise Application in Azure AD

  1. Go to Microsoft Azure portal, select your tenant and open Azure Active Directory from the menu on the left.
  2. Select Enterprise applications and click New application.
  3. Choose Non-gallery application and specify its name as "oss-brand-<brand domain>".
  4. Select Users and Groups, click Add user and add the "CanSSOtoCBC" group to allow Azure AD users of this group to log in to your Control Panel.
  5. Select Single Sign-On, then choose the SAML SSO method. In the Basic SAML Configuration tile, enter the following values: 

    Parameter

    Value

    Identifier (Entity ID)

    https://<brand_domain>/auth/realms/sr<brand_id>

    Reply URL (Assertion Consumer Service URL)

    https://<brand_domain>/auth/realms/sr<brand_id>/broker/saml/endpoint

    Sign on URL

    https://<brand_domain>/auth/realms/sr<brand_id>/broker/saml/endpoint


    (Where: “<brand_id>” is the brand identifier in the system).
  6. Go to the SAML Signing Certificate tile and download the Base 64 SAML Signing Certificate to put on a management node.
  7. Go to the Set up oss-brand-mybrand.com tile and copy the login URL value from it.
  8. To sum up, you must obtain the following parameters from Azure AD: 

    Parameter

    Value example

    Login URL

    login.microsoftonline.com/9a3c0433-26a5-4deb-b203-591c46652afc/saml2

    Certificate (Base64)

    file: oss-mybrand.com.cer


Step 3 - Configure External IDP Service

  1. Log in to the Cloud Marketplace and go to the Control Panel, then go to Services > Identity Service.
  2. In the External IDP Service tab, select a brand.
  3. Check the External IDP service enabled checkbox and specify these parameters: 

    Parameter

    Example

    Notes

    External IDP Login URL

    login.microsoftonline.com/9a3c0433-26a5-4deb-b203-591c46652afc/saml2

    The Login URL value from Step 2

    External IDP Logout URL

    login.microsoftonline.com/9a3c0433-26a5-4deb-b203-591c46652afc/saml2

    The Login URL value from Step 2

    External IDP display name

    Azure AD

    A human-readable name

    External IDP certificate in PEM format

    -----BEGIN CERTIFICATE----- MIIDjjCCAnYCCQCErQYi+gB/0jANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC .... -----END CERTIFICATE-----

    The Certificate (Base64) value from Step 2

    External IDP username SAML assertion attribute

    schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    The SAML assertion attribute that designates the user log-in name in OSS


Step 4 - Create a User

Now, you can create a user. The user log-in name must be equal to the value of the SAML assertion attribute set for External IDP username SAML assertion attribute in the previous step.


Important: Users are not created automatically; they must be created beforehand.