You can view the existing Admin users. Only Enterprise Superusers can create new Admin users with different roles, and configure API tokens for each Admin user.
To access the Users tab:
In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
Select Global Settings service.
From the left menu, select User Management. The Users tab is displayed by default.
Figure 2. User Management > Users
On the Users screen, you can perform the following activities:
Table 1. Users Option Descriptions
Option
Description
New User
Creates a new Admin user. For more information, see Add New User.
Modify
Allows you to modify the properties of the selected Admin user. You can also select the link to the username to modify the properties.
Password Reset
Sends an email to the selected user with a link to reset the password. You can also choose to freeze the account until the password is reset.
Delete
Deletes the selected user. You cannot delete the default users.
More
Select this option, and then select Download to download the details of all the users into a file in CSV format.
The following are the other options available in the Users tab:
Table 2. Users Additional Option Descriptions
Option
Description
Search
Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Columns
Select the columns to be displayed or hidden on the page.
Refresh
Select to refresh the page to display the most current data.
Add New User
Standard Administrator Superusers and Standard Administrators can create new Admin users. The SSH username is automatically created for the user. To add a new user, perform the following steps:
Note: These steps are valid for all customers, though customers created in a 5.2.0 Orchestrator where they are not assigned to a Partner have certain limitations. These limitations are outlined in an Important note at the end of the article.
In the Enterprise portal, go to Enterprise Applications > Global Settings.
From the left menu, select User Management, and then select the Users tab.
Select New User.
Figure 3. User Management > New User
Enter the following details for the new user:
Note: The Next button is activated only when you enter all the mandatory details in each section.
Table 3. New User Details
Option
Description
General information
Enter the required personal details of the user.
Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
Role
Select a role that you want to assign to the user. For information on roles, see the topic Roles.
Edge Access
Choose one of the following options:
Basic: Allows you to perform certain basic debug operations such as ping, tcpdump, pcap, remote diagnostics, and so on.
Privileged: Grants you the root-level access to perform all basic debug operations along with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown. In addition, you can access linux shell.
The default value is Basic.
Select the Add another user check box if you wish to create another user, and then select Add User. The new user appears in the User Management > Users page. Select the link to the user to view or modify the details. As an Enterprise Administrator, you can manage the Roles, Service Permissions, and API Tokens for the Enterprise users.
Note: Enterprise Administrator should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.
Important: Customers created on a Release 5.2.0 Orchestrator who are not assigned to a Partner are automatically configured for Single Sign On (SSO) using Cloud Services Platform (CSP) as the Identity Provider (IdP). As a result:
New administrators are created by an administrator with a Superuser role through the CSP portal.
There is one exception to this: the customer is permitted one administrator account with Native authentication (username/password) to allow them to access their portal in the event there is an issue with CSP authentication.
For additional information about using CSP as an IdP in SD-WAN, see the topic Configure CSP for Single Sign On.
API Tokens
You can access the Orchestrator APIs using tokens instead of session-based authentication. As an Enterprise Superuser, you can manage the API tokens. You can create multiple API tokens for a user.
Note:
For Enterprise Read Only users and MSP Business Specialist users, token-based authentication is not activated.
Enterprise Superuser should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.
The users can create, revoke, and download the tokens based on their roles.
To manage the API tokens:
In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
Select Global Settings service.
Navigate to User Management > Users.
Select a user and select Modify or select the link to the username. Go to the API Tokens section.
Figure 4. Modifying API Tokens
Select New API Token.
Figure 5. New API Tokens
In the New Token window, enter a Name and Description for the token, and then choose the Lifetime from the drop-down menu.
Select Save. The new token is displayed in the API Tokens table. Initially, the status of the token is displayed as Pending. Once you download it, the status changes to Enabled.
To download the token, select the token, and then select Download API Token.
To deactivate a token, select the token, and then select Revoke API Token. The status of the token is displayed as Revoked.
Select CSV to download the complete list of API tokens in a .csv file format.
When the Lifetime of the token is over, the status changes to Expired.
Note: Only the user who is associated with a token can download it and after downloading, the ID of the token alone is displayed. You can download a token only once. After downloading the token, the user can send it as part of the Authorization Header of the request to access the Orchestrator API.
The following example shows a sample snippet of the code to access an API.
The following are the other options available in the API Tokens section:
Table 4. API Tokens Option Descriptions
Option
Description
Search
Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Columns
Select the columns to be displayed or hidden on the page.
Refresh
Select to refresh the page to display the most current data.
Roles
The Orchestrator consists of two types of roles.
Note: Starting from the 5.1.0 release, Functional Roles are renamed as Privileges, and Composite Roles are renamed as Roles.
The roles are categorized as follows:
Privileges – Privileges are a set of roles relevant to a functionality. A privilege can be tagged to one or more of the following services: SD-WAN and Global Settings. Users require privileges to carry out business processes. For example, a Customer support role in SD-WAN is a privilege required by an SD-WAN user to carry out various support activities. Every service defines such privileges based on its supported business functionality.
Roles– The privileges from various categories can be grouped to form a role. By default, the following roles are available for a Customer:
Table 5. Role Services
Role
SD-WAN Service
Global Settings Service
Enterprise Standard Admin
SD-WAN Enterprise Admin
Global Settings Enterprise Admin
Enterprise Superuser
SD-WAN Enterprise Superuser
Global Settings Enterprise Superuser
Enterprise Support
SD-WAN Enterprise Support
Global Settings Enterprise Support
Enterprise Read Only User
SD-WAN Enterprise Read Only
Global Settings Enterprise Read Only
Enterprise Security Admin
SD-WAN Security Enterprise Admin
Global Settings Enterprise Admin
Enterprise Security Read Only
SD-WAN Security Enterprise Read Only
Global Settings Enterprise Read Only
Enterprise Network Admin
SD-WAN Enterprise Admin
Global Settings Enterprise Admin
If required, you can customize the privileges of these roles. For additional information, see Service Permissions.
As a Customer, you can view the list of existing standard roles and their corresponding descriptions. You can add, edit, clone, or delete a new role. However, you cannot edit or delete a default role.
To access the Roles tab:
In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
Select Global Settings service.
From the left menu, select User Management, and then select the Roles tab. The following screen appears:
Figure 6. Roles
On the Roles screen, you can perform the following activities:
Table 6. Roles Option Descriptions
Option
Description
Add Role
Creates a new custom role. For additional information, see Add Role.
Edit
Allows you to edit only the custom roles. You cannot edit the default roles. Also, you cannot edit or view the settings of a Superuser.
Clone Role
Creates a new custom role, by cloning the existing settings from the selected role. You cannot clone the settings of a Superuser.
Delete Role
Deletes the selected role. You cannot delete the default roles. You can delete only custom composite roles. Ensure that you have removed all the users associated with the selected role, before deleting the role.
Download CSV
Downloads the details of the user roles into a file in CSV format.
Note: You can also access the Edit, Clone Role, and Delete Role options from the vertical ellipsis of the selected Role.
Select the Open icon " >>" displayed before the Role link, to view additional details about the selected Role, as shown below:
Figure 7. Role Details
Select the View Role link to view the privileges associated to the selected role for the activated services.
Note: By default, only Global Settings & Administration service is activated for a Customer. Only an Operator can activate an additional service.
The following are the other options available in the Roles tab:
Table 7. Roles Additional Option Descriptions
Option
Description
Search
Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Columns
Select the columns to be displayed or hidden on the page.
Refresh
Select to refresh the page to display the most current data.
Add Role
To add a new role for a Customer, perform the following steps:
In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
Select Global Settings service.
From the left menu, select User Management, and then select the Roles tab.
Select Add Role.
Figure 8. Adding Role
Enter the following details for the new custom role:
Table 8. New Custom Role Options
Option
Description
Role Details
Role Name
Enter a name for the new role.
Role Description
Enter a description for the role.
Template
Optionally, select an existing role as template from the drop-down list. The privileges of the selected template are assigned to the new role.
Role Creation
Global Settings & Administration
These privileges provide access to user management and global settings that are shared across all services. Choosing one of the privileges is mandatory. By default, Global Settings Enterprise Read Only is selected.
SD-WAN
These privileges provide the Enterprise Administrator with different levels of access around SD-WAN configuration, monitoring, and diagnostics. You can optionally choose an SD-WAN privilege. The default value is No Privileges.
Note: The Role Creation section displays the privileges only for which the Customer has licenses.
Select Save Changes. The new custom role appears in the User Management > Roles page. Select the link to the custom role to view the settings.
Service Permissions
Service Permissions allow an Administrator to granularly define actions (Read, Create, Update, and Delete) assigned to each Privilege (such as Cloud Security Service and Customer Segment configuration) within a Privilege Bundle.
Note: Starting from the 5.1.0 release, Role Customization is renamed to Service Permissions.
You can customize only the permissions and not the roles. When you customize a permission, the changes would impact the roles associated with it. For additional information, see Roles.
Only an Operator Superuser can activate the Service Permissions for an Enterprise Superuser. If the Service Permissions option is not available for you, contact your Operator.
The Service Permissions are applied to the privileges as follows:
The customizations done at the Enterprise level override the Partner or Operator level customizations.
The customizations done at the Partner level override the Operator level customizations.
Only when there are no customizations done at the Partner level or Enterprise level, the customizations made by the Operator are applied globally across all users in the Orchestrator.
In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
Select Global Settings service.
From the left menu, select User Management, and then select the Service Permissions tab. The following screen appears:
Figure 9. Service Permissions
On the Service Permissions screen, you can perform the following activities:
Table 9. Service Permissions Option Descriptions
Option
Description
Service
Select the service from the drop-down menu. The available services are:
All
Global Settings
SD-WAN
Edge Compute
Custom service permissions, if any, associated with the selected service are displayed. By default, all of the custom service permissions are displayed.
New Permission
Allows you to create a new permission. For additional information, see New Permission.
Edit
Allows you to edit the settings of the selected permission. You can also select the link to the Permission Name to edit the settings.
Clone
Allows you to create a copy of the selected permission.
Publish Permission
Applies the customization available in the selected package to the existing permission. This option modifies the privileges only at the current level. If there are customizations available at the Operator level or a lower level for the same role, then the lower level takes precedence.
More
Allows you to select from the following additional options:
Delete: Deletes the selected permission. You cannot delete a permission if it is already in use.
Note: A permission can only be deleted if it is in a draft mode. The Delete option is deactivated for a published permission. If you want to delete a published permission, you must reset the permission to system default, which changes it to draft mode and activates the Delete option for the permission.
Download JSON: Downloads the list of permissions into a file in JSON format.
Upload Permission: Allows you to upload a JSON file of a customized permission.
Reset to System Default: Allows you to reset the current published permissions to default settings. Only the permissions applied to the privileges in the current level (Operator, Partner, or Enterprise) of the Orchestrator are reset to the default settings. If Operators or Customers have customized their privileges in the Partner or Enterprise level in the Orchestrator, those settings remain the same.
The following are the other options available in the Service Permissions tab:
Table 10. Service Permissions Additional Options
Option
Description
Columns
Select and select the columns to be displayed or hidden on the page.
Note: The Role Associated column displays the Roles using the same Privilege Bundle.
Refresh
Select to refresh the page to display the most current data.
Note:
The Orchestrator does not support customization of multiple privilege bundles.
Service Permissions are version dependent, and a service permission created on an Orchestrator using an earlier software release will not be compatible with an Orchestrator using a later release. For example, a service permission created on an Orchestrator that is running Release 3.4.x does not work properly if the Orchestrator is upgraded to a 4.x Release. Also, a service permission created on an Orchestrator running Release 3.4.x does not work properly when the Orchestrator is upgraded to 4.x.x Release. In such cases, the user must review and recreate the service permission for the newer release to ensure proper enforcement of all roles.
New Permission
You can customize the privileges and apply them to the existing permission in the Orchestrator.
To add a new permission, perform the following steps:
In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
Select Global Settings service.
From the left menu, select User Management, and then select the Service Permissions tab.
Select New Permission. The following screen appears:
Figure 10. New Service Permissions
Enter the following details to create a new permission:
Table 11. New Permission Option Descriptions
Option
Description
Name
Enter an appropriate name for the permission.
Note: The permission name must be unique within the Orchestrator it is hosted upon.
Description
Enter a description. This field is optional.
Service
Select a service from the drop-down menu. The available services are:
Global Settings
SD-WAN
Edge Compute
Privilege Bundle
Select a privilege bundle from the drop-down menu. The privileges are populated depending on the selected Service.
Privileges
Displays the list of privileges based on the selected Privilege Bundle. You can edit only those privileges that are eligible for customization.
Select Download CSV to download the list of all privileges, their description, and associated actions, into a file in CSV format.
Select Save to save the new permission. Select Save and Apply to save and publish the permission.
Note: The Save and Save and Apply buttons are activated only after you modify the permissions.
The new permission is displayed on the Service Permissions page.
List of User Privileges
This section lists all the user privileges available in the Enterprise portal.
Below is a table listing the user privileges. The columns in the table indicate the following:
Allow Privilege – Do the privileges have allow access?
Deny Privilege – Do the privileges have deny access?
Customizable – Is the privilege available for customization in the Service Permissions tab along with the Create, Read, Update, Delete customizations?
Note: The features that can be completely customized by an Enterprise Superuser have been listed in a separate table at the end of this topic.
Table 12. Permission Information
Navigation Path in the Enterprise Portal
Name of the Tab
Elements in the Tab
Name of the Privilege
Description
Allow Privilege
Deny Privilege
Customizable
Monitor > Edges > Select Edge
Overview
Read Edge
Grants ability to view and manage Edge objects and their properties in general
Yes
No
No
Top Applications
Top Categories
Top Operating Systems
Top Sources
Read Edge
Grants ability to view and manage Edge objects and their properties in general
Yes
No
No
View Flow Stats
Grants ability to view collected flow statistics
Yes
Yes
Yes
Sources
Read Edge
Grants ability to view and manage Edge objects and their properties in general
Yes
No
No
View Edge Sources
Grants ability to view Monitor Edge Sources tab
Yes
Yes
Yes
Devices
View User Identifiable Flow Stats
Grants ability to view potentially user identifiable flow source attributes
Yes
Yes
Yes
Create Client Device
Controls visibility to unique identifiers (IP or MAC address) of LAN-side client devices
Yes
No
No
Read Client Device
Change Hostname
Update Client Device
Delete Client Device
Manage Client Device
Operating Systems
Create Client User
Controls visibility to potentially Personal Identifiable Information(PII) in flow statistics
Yes
No
No
Read Client User
Update Client User
Delete Client User
Manage Client User
Applications Sources Destinations
Read Edge
Grants ability to view and manage Edge objects and their properties in general
Controls creation of and access to diagnostics bundles, both Edge and Gateway. Combine with Edge and Gateway privileges to control access to each type individually
Yes
Yes
Yes
Generate Diagnostic Bundle
Create Diagnostic Bundle
No
Yes
Yes
Remote Diagnostics
Read Remote Diagnostics
Privilege granting access to view and execute remote diagnostics
No
Yes
Yes
Monitor
Edges
Read Edge
Grants ability to view and manage Edge objects and their properties in general
Yes
No
No
Edge Cluster
Read Edge Cluster
Controls the ability to create and configure Edge Clusters
No
Yes
Yes
Network Services
Read Network Service
Grants ability to view and manage services with the Network Services configuration block
Yes
No
No
Non SD-WAN Destinations via Gateway Non SD-WAN Destinations via Edge
Read Customer Event
Grants ability to view customer level events
Yes
No
No
Non SD-WAN Destinations via Gateway Non SD-WAN Destinations via Edge
Read Non SD-WAN Destination via Gateway
Grants ability to view and manage Non SD-WAN Destinations via Gateway and Non SD-WAN Destinations via Edge
No
Yes
Yes
BGP Gateway Neighbor State
Read Network Service
Grants ability to view and manage services with the Network Services configuration block
Yes
No
No
BGP Edge Neighbor State
Read Edge
Grants ability to view and manage Edge objects and their properties in general
Yes
No
No
Edge VNFs
Read VNF Network Service
Grants ability to manage VNF Network Services
No
Yes
Yes
Edge Cluster
Read Edge Cluster
Controls the ability to create and configure Edge Clusters
No
Yes
Yes
Routing
Read Network Addressing
Grants ability to view and manage address block configuration in the legacy Network profile mode
Yes
No
No
Read Edge
Grants ability to view and manage Edge objects and their properties in general
Yes
No
No
View Customer Routing
Grants ability to view the customer Routing
Yes
No
No
Alerts
Create Customer Alert
Grants ability to view and manage customer alert configuration and generated alerts
Yes
No
No
Read Customer Alert
Yes
Yes
Update Customer Alert
Delete Customer Alert
No
No
Manage Customer Alert
Events
Create Customer Event
Grants ability to view customer level events
Yes
No
No
Read Customer Event
Update Customer Event
Delete Customer Event
Manage Customer Event
Reports
Update Customer
Grants ability to view and manage Customers, from the Partner or Operator level
Yes
Yes
Yes
Read Customer
No
No
Firewall
Firewall Logging
View Firewall Logs
Grants ability to view collected firewall logs
Yes
Yes
Yes
Read Edge
Grants ability to view and manage Edge objects and their properties in general
Yes
No
No
Read Customer Event
Grants ability to view customer level events
Yes
No
No
Configure > Edge > Select Edge
Edge Overview
Edge Overview
Controls ability to view or modify Edge overview page
No
Yes
Yes
Properties
Create Edge Overview Properties
Controls ability to view or change items within the properties section of the Edge overview page
No
Yes
Yes
Read Edge Overview Properties
No
No
Update Edge Overview Properties
Yes
Yes
Delete Edge Overview Properties
Name
Read Edge Overview Properties Name
Controls ability to view or change Edge name on the Edge overview page
No
Yes
Yes
Update Edge Overview Properties Name
Description
Read Edge Overview Properties Description
Controls ability to view or change Edge description on the Edge overview page
No
Yes
Yes
Update Edge Overview Properties Description
Enable Alerts
Read Edge Overview Properties Enable Alerts
Controls ability to view or change Edge alert configuration on the Edge overview page
No
Yes
Yes
Update Edge Overview Properties Enable Alerts
Authentication Mode
Read Edge Overview Properties Auth Mode
Controls ability to view or change Edge PKI configuration on the Edge overview page
No
Yes
Yes
Update Edge Overview Properties Auth Mode
Read Customer PKI
Grants ability to view and manage enterprise PKI settings
Yes
No
No
Update Customer PKI
Serial Number
Read Edge Overview Properties Serial Number
Controls ability to view or change Edge serial number, prior to activation, on the Edge overview page
Privilege granting or denying visibility and control of an Edges Stateful Firewall Settings, Network & Flood Protection Settings and Edge Access on the Edge firewall page
No
Yes
Yes
Read Edge Firewall Edge Access
Update Edge Firewall Edge Access
Delete Edge Firewall Edge Access
Events from this Edge
Read Customer Event
Grants ability to view customer level events
Yes
No
No
Remote Actions
Read Remote Actions
Privilege granting access to view and execute remote actions
Controls creation of and access to diagnostics bundles, both Edge and Gateway. Combine with Edge and Gateway privileges to control access to each type individually
Yes
Yes
Yes
Generate Diagnostic Bundle
Create Diagnostic Bundle
No
Yes
Yes
Remote Diagnostics
Read Remote Diagnostics
Grants access to view and execute remote diagnostics
No
Yes
Yes
Configure > Profiles > Select Profile
Profile Overview
Profile Overview
Controls ability to view or change profile overview page
No
Yes
Yes
Description
Create Profile Overview Description
Controls ability to view or change Profile Overview Description
No
Yes
Yes
Read Profile Overview Description
No
No
Update Profile Overview Description
Yes
Yes
Delete Profile Overview Description
Local Credentials
Read Overview Properties Local Credentials
Grants ability to view and configure Edge local credentials
No
Yes
Yes
Update Overview Properties Local Credentials
Device
Authentication Settings
Create Profile Device Authentication Settings
Controls ability to view or change Profile Device Authentication Settings
No
Yes
Yes
Read Profile Device Authentication Settings
Update Profile Device Authentication Settings
Delete Profile Device Authentication Settings
DNS Settings
Update Profile Device DNS Settings
Controls ability to view or change Profile Device DNS Settings
No
Yes
Yes
Netflow Settings
Create Profile Device Netflow Settings
Controls ability to view or change Profile Device Netflow Settings
No
Yes
Yes
Read Profile Device Netflow Settings
Update Profile Device Netflow Settings
Delete Profile Device Netflow Settings
LAN-Side NAT Rules
Update Profile Device LAN-Side NAT Rules
Controls ability to view or change Profile Device LAN-Side NAT Rules
No
Yes
Yes
Voice Quality Monitoring Settings
Read Profile Device VQM Settings
Controls ability to view or change Profile Device VQM Settings
No
Yes
Yes
Update Profile Device VQM Settings
Syslog Settings
Read Profile Device Syslog Settings
Controls ability to view or change Profile Device Syslog Settings
No
Yes
Yes
Update Profile Device Syslog Settings
Cloud VPN
Read Profile Device Cloud VPN
Controls ability to view or change Profile Device Cloud VPN
No
Yes
Yes
Update Profile Device Cloud VPN
BFD Rules
Update Profile Device BFD Rules
Controls ability to view or change Profile Device BFD Rules
No
Yes
Yes
OSPF Areas
Read Profile Device OSPF Settings
Controls ability to view or change Profile Device OSPF Settings
No
Yes
Yes
Update Profile Device OSPF Settings
BGP Settings
Read Profile Device BGP Settings
Controls ability to view or change Profile Device BGP Settings
No
Yes
Yes
Update Profile Device BGP Settings
Multicast Settings
Read Profile Device Multicast Settings
Controls ability to view or change Profile Device Multicast Settings
No
Yes
Yes
Update Profile Device Multicast Settings
Cloud Security Service
Read Profile Device Cloud Security Service
Controls ability to view or change Profile Device Cloud Security Service
No
Yes
Yes
Update Profile Device Cloud Security Service
Gateway Handoff Assignment
Update Profile Device Gateway Handoff Assignment
Controls ability to view or change Profile Device Gateway Handoff Assignment
No
Yes
Yes
Configure VLAN
Read Profile Device Settings
Controls ability to view or change Profile Device Settings
No
Yes
Yes
Management IP
Read Profile Device Management IP
Controls ability to view or change Profile Device Management IP
No
Yes
Yes
Update Profile Device Management IP
Device Settings
Create Profile Device Settings
Controls ability to view or change Profile Device Settings
No
Yes
Yes
Read Profile Device Settings
Update Profile Device Settings
Delete Profile Device Settings
Interface Settings
Update Profile Device Interface Settings
Controls ability to view or change Profile Device Interface Settings
No
Yes
Yes
Wi-Fi Radio Settings
Create Profile Device Wi-Fi Settings
Controls ability to view or change Profile Device Wi-Fi Settings
No
Yes
Yes
Read Profile Device Wi-Fi Settings
Update Profile Device Wi-Fi Settings
Delete Profile Device Wi-Fi Settings
L2 Settings
Update Profile Device L2 Settings
Controls ability to view or change Profile Device L2 Settings
No
Yes
Yes
Multi-Source QoS
Read Profile Device Cloud VPN QoS Settings
Controls ability to view or change Profile Device Cloud VPN QoS Settings
No
Yes
Yes
Update Profile Device Cloud VPN QoS Settings
SNMP Settings
Create Profile Device SNMP Settings
Controls ability to view or change Profile Device SNMP Settings
No
Yes
Yes
Read Profile Device SNMP Settings
Update Profile Device SNMP Settings
Delete Profile Device SNMP Settings
NTP
Read Profile Device NTP Settings
Controls ability to view or change Profile Device NTP Settings
No
Yes
Yes
Update Profile Device NTP Settings
Visibility Mode
Update Profile Device Config Visibility Mode
Controls ability to view or change Profile Device Config Visibility Mode
No
Yes
Yes
Analytics Settings
Read Profile Device Analytics Settings
Controls ability to view or change Profile Device Analytics Settings
No
Yes
Yes
Update Profile Device Analytics Settings
Create Profile Device Network Settings
Controls ability to view or change Profile Device Network Settings
No
Yes
Yes
Read Profile Device Network Settings
Update Profile Device Network Settings
Delete Profile Device Network Settings
Business Policy
Profile Business Policy
Controls ability to view or change profile business policy page
No
Yes
Yes
SD-WAN Overlay Rate Limit
Read Profile Business Policy Rate Limit
Controls the ability to read and update the rate limiting business policy feature
No
Yes
Yes
Update Profile Business Policy Rate Limit
Firewall
Profile Firewall
Controls ability to view or change profile firewall page
Controls visibility and control of Stateful Firewall Settings, Network & Flood Protection Settings, and Edge Access on the profile firewall page
No
Yes
Yes
Read Edge Firewall Edge Access
No
No
Update Edge Firewall Edge Access
Yes
Yes
Delete Edge Firewall Edge Access
Configure
Edges
Create Edge
Grants ability to view and manage Edge objects and their properties in general
Yes
Yes
Yes
Read Edge
No
No
Update Edge
Delete Edge
Yes
Yes
Manage Edge
No
No
Read Customer Profile
Grants ability to view and edit enterprise configuration profiles
Yes
Yes
Yes
New Edge >
Authentication
Create Customer PKI
Grants ability to view and manage enterprise PKI settings
Yes
No
No
Select Edge/Edges >
Local Credentials
Read Overview Properties Local Credentials
Grants ability to view and configure Edge local credentials
No
Yes
Yes
Update Overview Properties Local Credentials
Select Edge/Edges >
Assign Profile
Assign Edge Profile
Grants ability to assign profiles to Edges
No
Yes
Yes
Select Edge/Edges >
Update Pre-Notifications
Update Edge Overview Properties Enable Alerts
Controls ability to view or change Edge alert configuration on the Edge overview page
No
Yes
Yes
Select Edge/Edges >
Assign Edge License
Select Edge/Edges >
Update Customer Alerts
Edge Cluster
Read Edge Cluster
Grants ability to view Edge clusters
No
Yes
Yes
Create Cloud Edge
Create DMZ Gateway
Grants ability to create DMZ Gateways
No
Yes
Yes
Profiles
Create Customer Profile
Grants ability to view and edit enterprise configuration profiles
Yes
Yes
Yes
Read Customer Profile
Update Customer Profile
Delete Customer Profile
Manage Customer Profile
No
No
Duplicate Profile
Duplicate Customer Profile
Grants ability to edit duplicate customer level profiles
No
Yes
Yes
Create Profile
Grants access to view and manage profiles at any level
No
Yes
Yes
Read Profile
Update Profile
Delete Profile
Object Groups
Create Object Group
Grants ability to manage Object Group
Yes
Yes
Yes
Read Object Group
Update Object Group
Delete Object Group
Manage Object Group
No
No
Read Customer Profile
Grants ability to view and edit enterprise configuration profiles
Yes
Yes
Yes
Segments/Networks
Create Network Addressing
Grants ability to view and manage address block configuration in the legacy Network profile mode
Yes
Yes
Yes
Read Network Addressing
No
No
Update Network Addressing
Yes
Yes
Delete Network Addressing
Manage Network Addressing
No
No
Create Customer Segment
Grants ability to view and manage the creation of segments and their assignment to configuration profiles
No
Yes
Yes
Read Customer Segment
Update Customer Segment
Delete Customer Segment
Overlay Flow Control
Create Overlay Flow Control
Grants ability to view and manage data and configuration presented on the Overlay Flow Control page
No
Yes
Yes
Read Overlay Flow Control
Update Overlay Flow Control
Delete Overlay Flow Control
Read Customer Profile
Grants ability to view and edit enterprise configuration profiles
Yes
Yes
Yes
Update Customer Profile
Network Services
Create Network Service
Grants ability to view and manage services with the Network Services configuration block
Yes
Yes
Yes
Read Network Service
No
No
Update Network Service
Yes
Yes
Delete Network Service
Manage Network Service
No
No
Create Customer Keys
Grants ability to view and manage enterprise security keys such as Edge administrator credentials and IPSEC keys
Yes
Yes
Yes
Read Customer Keys
Update Customer Keys
Read Customer Profile
Grants ability to view and edit enterprise configuration profiles
Yes
Yes
Yes
Edge Cluster
Create Edge Cluster
Controls the ability to create and configure Edge Clusters
No
Yes
Yes
Read Edge Cluster
Update Edge Cluster
Delete Edge Cluster
Cloud VPN Hubs
Create VPN Hub Network Service
Grants ability to manage VPN Hubs as Network Services
No
Yes
Yes
Read VPN Hub Network Service
Update VPN Hub Network Service
Delete VPN Hub Network Service
Non SD-WAN Destinations via Gateway Non SD-WAN Destinations via Edge
Create Non SD-WAN Destination via Gateway
Grants ability to view and manage Non SD-WAN Destinations via Gateway and Non SD-WAN Destinations via Edge
No
Yes
Yes
Read Non SD-WAN Destination via Gateway
Update Non SD-WAN Destination via Gateway
Delete Non SD-WAN Destination via Gateway
Cloud Security Service
Create Cloud Security Service
Controls creation and configuration of third party cloud security services to which the traffic can be steered by business policy
No
Yes
Yes
Read Cloud Security Service
Update Cloud Security Service
Delete Cloud Security Service
VNFs
Create VNF Network Service
Grants ability to manage VNF Network Services
No
Yes
Yes
Read VNF Network Service
Update VNF Network Service
Delete VNF Network Service
VNF Licenses
Create VNF License Network Service
Grants ability to manage VNF licenses with Network Services
No
Yes
Yes
Read VNF License Network Service
Update VNF License Network Service
Delete VNF License Network Service
DNS Services
Create DNS Network Service
Controls the ability to create and configure DNS services for use in profiles
No
Yes
Yes
Read DNS Network Service
Update DNS Network Service
Delete DNS Network Service
Private Network Names
Create Private Network Name Network Service
Grants ability to manage Private Network Name with Network Services
No
Yes
Yes
Read Private Network Name Network Service
Update Private Network Name Network Service
Delete Private Network Name Network Service
Authentication Services
Create Authentication Service
Controls the creation and configuration of hosted 802.1x service providing LAN-side user authentication
No
Yes
Yes
Read Authentication Service
Update Authentication Service
Delete Authentication Service
TACACS Services
Create Network Service
Grants ability to view and manage services with the Network Services configuration block
Yes
Yes
Yes
Read Network Service
No
No
Update Network Service
Yes
Yes
Delete Network Service
Create Customer Keys
Grants ability to view and manage enterprise security keys such as Edge administrator credentials and IPSEC keys
Yes
Yes
Yes
Read Customer Keys
Update Customer Keys
Delete Customer Keys
Manage Customer Keys
No
No
Cloud Subscriptions
Create Cloud Subscription Service
Grants ability to view and manage the configuration of access to IAAS providers, such as Azure, AWS and Google Cloud
No
Yes
Yes
Read Cloud Subscription Service
Update Cloud Subscription Service
Delete Cloud Subscription Service
Alerts & Notifications
Read Customer Alert Notification
Grants ability to view and manage customer alert configuration
No
Yes
Yes
Create Customer Alert
Grants ability to view and manage customer alert configuration and generated alerts
Yes
No
No
Read Customer Alert
Yes
Yes
Update Customer Alert
Delete Customer Alert
No
No
Manage Customer Alert
SMS Alert
Update Customer SMS Alert
Grants ability to configure SMS alerts at the customer level
No
Yes
Yes
Customer
Update Enterprise
Grants ability to view and manage Customers, from the Partner or Operator level
Yes
Yes
Yes
Other Settings
Read User Agreement
Privilege granting access to configure the customer user agreement feature
Yes
No
No
Update User Agreement
Test & Troubleshoot
Read Diagnostics
Controls creation of and access to diagnostics bundles, both Edge and Gateway. Combine with Edge and Gateway privileges to control access to each type individually
Yes
Yes
Yes
Remote Diagnostics
Create Remote Diagnostics
Grants access to view and execute remote diagnostics
No
No
No
Read Remote Diagnostics
Yes
Yes
Update Remote Diagnostics
No
No
Delete Remote Diagnostics
Manage Remote Diagnostics
Yes
Yes
Gateway
Remote Cloud Traffic Routing
No
Yes
Yes
Reset USB Modem
Remote Reset USB Modem
Grants ability to execute the Edge USB modem reset remote action
No
Yes
Yes
Scan for nearby Wi-Fi
Remote Scan for Wi-Fi Access Points
Grants ability to execute the Edge Wi-Fi scan remote action
No
Yes
Yes
VPN Test
Remote VPN Test
Grants ability to execute the Edge VPN test remote action
No
Yes
Yes
Remote Actions
Create Remote Actions
Grants access to view and execute remote actions
No
Yes
Yes
Read Remote Actions
Update Remote Actions
Delete Remote Actions
Select Edge > Shutdown button
Shutdown Edge
Grants ability to execute the Edge shutdown remote action
No
Yes
Yes
Select Edge > Deactivate button
Deactivate Edge
Grants ability to execute the deactivate Edge remote action
No
Yes
Yes
Diagnostic Bundles/Packet Capture
404 resource not found page
Create Diagnostics
Controls creation of and access to diagnostics bundles, both Edge and Gateway. Combine with Edge and Gateway privileges to control access to each type individually
Yes
Yes
Yes
Read Diagnostics
Update Diagnostics
Delete Diagnostics
Manage Diagnostics
No
No
Request Diagnostic Bundle
Create Diagnostic Bundle
Grants ability to view and request Diagnostic bundles as part of remote diagnostics functionality
No
Yes
Yes
Diagnostic Bundles/Packet Capture
404 resource not found page
Read Diagnostic Bundle
Update Diagnostic Bundle
Delete Diagnostic Bundle
Delete Diagnostic Bundle
Request PCAP Bundle
Create PCAP Bundle
Grants ability to view and request PCAP bundles as part of remote diagnostics functionality
No
Yes
Yes
Diagnostic Bundles/Packet Capture
404 resource not found page
Read PCAP Bundle
Update PCAP Bundle
No
No
Delete PCAP Bundle
Yes
Yes
Diagnostic Bundles/Packet Capture
404 resource not found page
Manage PCAP Bundle
Download Diagnostic Bundle
Download Edge Diagnostics
Grants ability to download Edge Diagnostics
No
Yes
Yes
Administration
System Settings
Read Customer Delegation
Grants ability to view and manage the delegation of privileges from the customer to Partners or the Operator
Yes
Yes
Yes
General Information >
General Information
Read Customer General Information
Controls visibility and control of Customer General Information on the System Settings General Information page
No
Yes
Yes
Update Customer General Information
Default Edge Authentication
Read Customer PKI
Grants ability to view and manage enterprise PKI settings
Yes
No
No
Update Customer PKI
Edge Configuration
Read Customer Edge Settings
Controls visibility and control of Customer Edge Settings on the System Settings General Information page
No
Yes
Yes
Update Customer Edge Settings
Privacy Settings
Read Customer Privacy Settings
Controls visibility and control of Customer Privacy Settings on the System Settings General Information page
No
Yes
Yes
Update Customer Privacy Settings
Privacy Settings > Enforce PCI
Update Customer User
Grants ability to view and manage Customer administrators
Yes
Yes
Yes
Contact Information
Read System Settings Contact Info
Controls visibility and control of System Settings Contact Info on the System Settings General Information page
No
Yes
Yes
Update System Settings Contact Info
Authentication
Create Customer Authentication
Grants ability to view and manage customer authentication mode, for example SSO, Radius or Native
Yes
Yes
Yes
Read Customer Authentication
Update Customer Authentication
Delete Customer Authentication
Manage Customer Authentication
API Tokens
Read Customer Token
Grants ability to view and manage authentication tokens at the Customer level
Yes
No
No
Update Customer Token
Administrators
Create Customer User
Grants ability to view and manage Customer administrators
Yes
Yes
Yes
Read Customer User
Update Customer User
Delete Customer User
Manage Customer User
No
No
Select Enterprise User >
API Tokens
Create Customer Token
Grants ability to view and manage authentication tokens at the Customer level
Yes
No
No
Read Customer Token
Update Customer Token
Delete Customer Token
Manage Customer Token
Service Permissions
Create Service Permissions Package
Grants access to manage Service Permissions packages
Yes
No
No
Read Service Permissions Package
Update Service Permissions Package
Delete Service Permissions Package
Manage Service Permissions Package
Edge Licensing
Create License
Grants ability to view and manage Edge licensing
Yes
No
No
Read License
Yes
Yes
Update License
Delete License
No
No
Manage License
VeloCloud Support Access Role
Create Customer Delegation
Grants ability to view and manage the delegation of privileges from the customer to Partners or the Operator
Yes
Yes
Yes
Read Customer Delegation
Update Customer Delegation
Delete Customer Delegation
Manage Customer Delegation
No
No
When the corresponding user privilege is denied, the Orchestrator window displays the 404 resource not found error.
Below table provides a list of customizable feature privileges:
Table 13. Customizable Feature Privileges
Navigation Path in the Enterprise Portal
Name of the Tab
Name of the Privilege
Description
Configure > Edges > Select Edges
Overview
Assign Edge Profile
Grants ability to assign a Profile to Edges
Configure > Edges > Select Edges
Firewall
Configure Edge Firewall Logging
Grants ability to configure Edge level firewall logging
Configure > Profiles > Select Profile
Firewall
Configure Profile Firewall Logging
Grants ability to configure Profile level firewall logging
Diagnostics > Remote Actions
Select Edge > Deactivate
Deactivate Edge
Grants ability to reset the device configuration to its factory default state
Global Settings > Enterprise Settings > Information Privacy Settings > SD-WAN PC
Enforce PCI Compliance
Deny PCI Operations
Denies access to sensitive Customer data including PCAPs, etc. on the Edges and Gateways, for all users
Diagnostics > Diagnostic Bundles
Select Edge > Download Bundle
Download Edge Diagnostics
Grants ability to download Edge Diagnostics
sGateway Management > Diagnostic Bundles
Select Gateway > Download Bundle
Download Gateway Diagnostics
Grants ability to download Gateway Diagnostics
Configure > Profiles
Duplicate
Duplicate Customer Profile
Grants ability to edit duplicate customer level Profiles
Grants ability to view logs that are forwarded to a configured syslog collector
Operator portal > Gateway Management
Gateways
View Tab Gateway List
Grants ability to view the Gateway list tab
Operator portal > Administration
Operator Profiles
View Tab Operator Profile
Grants ability to view and configure settings within the Operator Profile menu tab
Monitor > Edges > Select Edge
Top Sources
View User Identifiable Flow Stats
Grants ability to view potentially user identifiable flow source attributes
Authentication
The Authentication feature allows you to set the authentication mode for an Enterprise user and view the existing API tokens.
To access the Authentication tab:
In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
Select Global Settings service.
From the left menu, select User Management, and then select the Authentication tab. The following screen appears:
Figure 11. Authentication
API Tokens
You can access the Orchestrator APIs using token-based authentication, irrespective of the authentication mode. You can view the API tokens issued to the Enterprise users. If required, you can revoke the API tokens.
By default, the API Tokens are activated. If you want to deactivate them, contact your Operator.
Note: Enterprise Administrator should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.
The following are the options available in this section:
Table 14. API Tokens Option Descriptions
Option
Description
Search
Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
Revoke API Token
Select the token and select this option to revoke it. Only an Operator Super User or the user associated with an API token can revoke the token.
CSV
Select this option to download the complete list of API tokens in a .csv file format.
Columns
Select the columns to be displayed or hidden on the page.
Refresh
Select to refresh the page to display the most current data.
For information on creating and downloading API tokens, see API Tokens.
Enterprise Authentication
Select one of the following Authentication modes:
Local: This is the default option and does not require any additional configuration.
Single Sign-On: Single Sign-On (SSO) is a session and user authentication service that allows users to log in to multiple applications and websites with one set of credentials. Integrating an SSO service with Orchestrator enables Orchestrator to authenticate users from OpenID Connect (OIDC)-based Identity Providers (IdPs).
For information on how to configure Single Sign On for Enterprise User, see Enterprise Settings.
To enable Single Sign On (SSO) for Orchestrator, you must enter the Orchestrator application details into the Identity Provider (IdP). Select each of the following links for step-by-step instructions to configure the following supported IdPs:
You can configure the following options when you select the Authentication Mode as Single Sign-on.
Figure 12. Enterprise Authentication Option Descriptions
From the drop-down menu, select your preferred Identity Provider (IdP) that you have configured for Single Sign On. This pre-populates fields specific to your IdP.
Note: You can also manually configure your own IdPs by selecting Others from the drop-down menu.
Organization Id
This field is available only when you select the CSP template. Enter the Organization ID provided by the IdP in the format: /csp/gateway/am/api/orgs/<full organization
ID>. When you sign in to CSP, you can view the organization ID you are logged into by selecting on your username. This information also appears under Organization details. Use the "Long Organization ID".
OIDC well-known config URL
Enter the OpenID Connect (OIDC) configuration URL for your IdP. For example, the URL format for Okta will be:
https://{oauth-provider-url}/.well-known/openid-configuration.
Issuer
This field is auto-populated based on your selected IdP.
Authorization Endpoint
This field is auto-populated based on your selected IdP.
Token Endpoint
This field is auto-populated based on your selected IdP.
JSON Web KeySet URI
This field is auto-populated based on your selected IdP.
User Information Endpoint
This field is auto-populated based on your selected IdP.
Client ID
Enter the client identifier provided by your IdP.
Client Secret
Enter the client secret code provided by your IdP, that is used by the client to exchange an authorization code for a token.
Scopes
This field is auto-populated based on your selected IdP.
Role Type
Select one of the following two options:
Use default role
Use identity provider roles
Role Attribute
Enter the name of the attribute set in the IdP to return roles.
Enterprise Role Map
Map the IdP-provided roles to each of the Enterprise user roles.
Select Update to save the entered values. The SSO authentication setup is complete in the Orchestrator.
User Authentication
You can choose to activate or deactivate the Two factor authentication feature for the user. The Self service password reset allows you to change the password using a link on the Login page.
Note: This feature can be activated only for those users whose mobile phone numbers are associated with their user accounts.
Session Limits
Note: To view this section, an Operator user must navigate to Orchestrator > System Properties, and set the value of the system property session.options.enableSessionTracking to True.
The following are the options available in this section:
Table 16. Session Limits Option Descriptions
Option
Description
Concurrent logins
Allows you to set a limit on concurrent logins per user. By default, Unlimited is selected, indicating that unlimited concurrent logins are allowed for the user.
Session limits for each role
Allows you to set a limit on the number of concurrent sessions based on user role. By default, Unlimited is selected, indicating that unlimited sessions are allowed for the role.
Note: The roles that are already created by the Enterprise in the Roles tab, are displayed in this section.
Select Update to save the selected values.
Configure Azure Active Directory for Single Sign On
To set up an OpenID Connect (OIDC)-based application in Microsoft Azure Active Directory (AzureAD) for Single Sign On (SSO), perform the following steps.
Ensure you have an AzureAD account to sign in.
Log in to your Microsoft Azure account as an Admin user. The Microsoft Azure home screen appears.
To create a new application:
Search and select the Azure Active Directory service.
Figure 13. Microsoft Azure
Go to App registration > New registration. The Register an application screen appears.
Figure 14. Register an Application
In the Name field, enter the name for your Orchestrator application.
In the Redirect URL field, enter the redirect URL that your Orchestrator application uses as the callback endpoint.
In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
Select Register. Your Orchestrator application will be registered and displayed in the All applications and Owned applications tabs. Make sure to note down the Client ID/Application ID to be used during the SSO configuration in Orchestrator.
Select Endpoints and copy the well-known OIDC configuration URL to be used during the SSO configuration in Orchestrator.
To create a client secret for your Orchestrator application, on the Owned applications tab, select your Orchestrator application.
Go to Certificates & secrets > New client secret. The Add a client secret screen appears.
Figure 15. Adding a Client Secret
Provide details such as description and expiry value for the secret and select Add.
The client secret is created for the application. Note down the new client secret value to be used during the SSO configuration in Orchestrator.
To configure permissions for your Orchestrator application, selectyour Orchestrator application and go to API permissions > Add a permission. The Request API permissions screen appears.
Figure 16. Adding API Permissions
Select Microsoft Graph and select Application permissions as the type of permission for your application.
Under Select permissions, from the Directory drop-down menu, select Directory.Read.All, and from the User drop-down menu, select User.Read.All.
Select Add permissions.
To add and save roles in the manifest, select your Orchestrator application and from the application Overview screen, select Manifest. A web-based manifest editor opens, allowing you to edit the manifest within the portal. Optionally, you can select Download to edit the manifest locally, and then use Upload to reapply it to your application.
Figure 17. Viewing the Manifest
In the manifest, search for the appRoles array and add one or more role objects as shown in the following example and select Save.
Note: The value property from appRoles must be added to the Identity Provider Role Name column of the Role Map table, located in the Authentication tab, in order to map the roles correctly.
Sample role objects
{ "allowedMemberTypes": [ "User" ], "description": "Standard Administrator who will have sufficient privilege to manage resource", "displayName": "Standard Admin", "id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1", "isEnabled": true, "lang": null, "origin": "Application", "value": "standard" }, { "allowedMemberTypes": [ "User" ], "description": "Super Admin who will have the full privilege on Orchestrator", "displayName": "Super Admin", "id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75", "isEnabled": true, "lang": null, "origin": "Application", "value": "superuser" }
Note: Make sure to set id to a newly generated Global Unique Identifier (GUID) value. You can generate GUIDs online using web-based tools (for example, https://www.guidgen.com/), or by running the following commands:
Linux/OSX- uuidgen
Windows- powershell [guid]::NewGuid()
Figure 18. Manifest
Roles are manually set up in the Orchestrator, and must match the ones configured in the Microsoft Azure portal.
Figure 19. App Roles
To assign groups and users to your Orchestrator application:
Go to Azure Active Directory > Enterprise applications.
Search and select your Orchestrator application.
Select Users and groups and assign users and groups to the application.
Select Submit.
You have completed setting up an OIDC-based application in AzureAD for SSO. Configure Single Sign On in Orchestrator.
Configure Okta for Single Sign On
To support OpenID Connect (OIDC)-based Single Sign On (SSO) from Okta, you must first set up an application in Okta. To set up an OIDC-based application in Okta for SSO, perform the steps on this procedure.
Ensure you have an Okta account to sign in.
Log in to your Okta account as an Admin user. The Okta home screen appears.
Note: If you are in the Developer Console view, then you must switch to the Classic UI view by selecting Classic UI from the Developer Console drop-down list.
To create a new application:
In the upper navigation bar, select Applications > Add Application. The Add Application screen appears.
Figure 20. Adding an Application to Okta
Select Create New App. The Create a New Application Integration dialog box appears.
From the Platform drop-drop menu, select Web.
Select OpenID Connect as the Sign on method and select Create. The Create OpenID Connect Integration screen appears.
Figure 21. Creating an OpenID Connect Integration
Under the General Settings area, in the Application name text box, enter the name for your application.
Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box, enter the redirect URL that your Orchestrator application uses as the callback endpoint.
In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
Select Save. The newly created application page appears.
On the General tab, select Edit and select Refresh Token for Allowed grant types, and select Save.
Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in
Orchestrator.
Figure 22. Configuring General Settings
Select the Sign On tab and under the OpenID Connect ID Token area, select Edit.
From the Groups claim type drop-down menu, select Expression. By default, Groups claim type is set to Filter.
In the Groups claim expression textbox, enter the claim name that will be used in the token, and an Okta input expression statement that evaluates the token.
Select Save. The application is setup in IDP. You can assign user groups and users to your Orchestrator application.
Figure 23. Configuring Settings
To assign groups and users to your Orchestrator application:
Go to Application and select your Orchestrator application link.
On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or Assign to People. The Assign > Application > Assign to Groups or Assign > Application > Assign to People dialog box appears.
Select Assign next to available user groups or users you want to assign the Orchestrator application and select Done. The users or user groups assigned to the Orchestrator application will be displayed.
Figure 24. Assigning the Configuration
You have completed setting up an OIDC-based application in Okta for SSO.
Configure One Login for Single Sign On
To set up an OpenID Connect (OIDC)-based application in OneLogin for Single Sign On (SSO), perform the steps below:
Ensure you have an OneLogin account to sign in.
Log in to your OneLogin account as an Admin user. The OneLogin home screen appears.
To create a new application:
In the upper navigation bar, select Apps > Add Apps.
In the Find Applications text box, search for “OpenId Connect” or “oidc” and then select the OpenId Connect (OIDC) app. The Add OpenId Connect (OIDC) screen appears.
Figure 25. Add OpenID Connect
In the Display Name text box, enter the name for your application and select Save.
On the Configuration tab, enter the Login URL (auto-login URL for SSO) and the Redirect URI that Orchestrator uses as the callback endpoint, and select Save.
Login URL- The login URL will be in this format: https://<Orchestrator URL>/<Domain>/ login/doEnterpriseSsoLogin. Where, Domain is the domain name of your Enterprise that you must have already set up to enable SSO authentication for the Orchestrator. You can get the Domain name from the Enterprise portal > Administration > System Settings > General Information page.
Redirect URI's- The Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. In the Orchestrator application, at the bottom of the Authentication screen, you can find the redirect URL link.
Figure 26. Configuring OpenID Connect
On the Parameters tab, under OpenId Connect (OIDC), double select Groups. The Edit Field Groups popup appears.
Figure 27. Editing Field Groups
Configure User Roles with value “--No transform--(Single value output)” to be sent in groups attribute and select Save.
On the SSO tab, from the Application Type drop-down menu, select Web.
From the Authentication Method drop-down menu, select POST as the Token Endpoint and select Save.
Also, note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in Orchestrator.
Figure 28. Configuring the Authentication Method
On the Access tab, choose the roles that will be allowed to login and select Save.
Figure 29. Access
To add roles and users to your Orchestrator application:
Select Users and select a user.
On the Application tab, from the Roles drop-down menu, on the left, select a role to be mapped to the user.
Select Save Users.
You have completed setting up an OIDC-based application in OneLogin for SSO.
Configure Ping Identity for Single Sign On
To set up an OpenID Connect (OIDC)-based application in Ping Identity for Single Sign On (SSO), perform the steps on this procedure.
Ensure you have a PingOne account to sign in.
Note: Currently, Orchestrator supports PingOne as the Identity Partner (IDP); however, any PingIdentity product supporting OIDC can be easily configured.
Log in to your PingOne account as an Admin user. The PingOne home screen appears.
To create a new application:
In the upper navigation bar, click Applications.
Figure 30. My Applications
On the My Applications tab, select OIDC and then click Add Application. The Add OIDC Application pop-up window appears.
Figure 31. Adding an OIDC Application
Provide basic details such as name, short description, and category for the application and click Next.
Under AUTHORIZATION SETTINGS, select Authorization Code as the allowed grant types and click Next.
Also, note down the Discovery URL and Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in Orchestrator.
Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO URL and Redirect URL and click Next.
In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. The Start SSO URL will be in this format: https://<Orchestrator URL>/<domain name>/login/doEnterpriseSsoLogin.
Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, click Add Attribute to add additional user profile attributes.
In the Attribute Name text box, enter group_membership and then select the Required checkbox, and select Next.
Note: The group_membership attribute is required to retrieve roles from PingOne.
Under CONNECT SCOPES, select the scopes that can be requested for your Orchestrator application during authentication and click Next.
Under Attribute Mapping, map your identity repository attributes to the claims available to your Orchestrator application.
Note: The minimum required mappings for the integration to work are email, given_name, family_name, phone_number, sub, and group_membership (mapped to member Of).
Under Group Access, select all user groups that should have access to your Orchestrator application and click Done. The application will be added to your account and will be available in the My Application screen.
You have completed setting up an OIDC-based application in PingOne for SSO.
