GuidesChangelogData Inspector Library API Reference
Guides
  1. Command Line Interface
  2. OLP CLI Workflows

Identity provider workflows

SAML identity provider workflows

The HERE platform allows you to create and manage SAML identity providers.

When enabling an identity provider, users from your organization need to use SSO login to log in. Similarly, if you disable an identity provider all users need to log in with a password, instead.

The OLP CLI provides tools for managing SAML identity providers, such as:

  • Get supported SAML identity provider templates
  • Validate a SAML metadata file
  • Create a new SAML identity provider
  • Show the details of the SAML identity provider
  • Enable the SAML identity provider
  • Disable the SAML identity provider
  • Delete the SAML identity provider

For more information, see identity provider commands. These commands are available for apps with a 'IDPManager' role. This role can be attached by organization admins, using the role assignment commands.

Get supported SAML identity provider templates

List all supported SAML identity provider templates by running the olp identity provider template list command.

olp identity provider template list
ID    	name
okta    Okta
google  Google

Note down the template ID matching the identity provider you want to use for the rest of the setup.

Validate a SAML metadata file

If the identity provider template for your identity provider is supported, run the olp identity provider metadata validate command to validate the metadata XML used for creating the identity provider.

This step is optional, as creating the identity provider will also validate the metadata file. But it will return the entity ID and the single sign on URL from the metadata contents. These can be optionally overwritten when running the olp identity provider create command, if you so choose.

olp identity provider metadata validate okta ./metadata.xml
entity ID                       SSO login URL
https://www.example.com/mySso   https://here.example.com/sso/saml

Create a new SAML identity provider

Run the olp identity provider create command to create the identity provider.

The identity provider will be available for your organization only.

olp identity provider create "Sign in with Okta" okta ./metadata.xml
SAML identity provider hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d has been created

Use olp identity provider show <provider HRN> to show SAML identity provider details
Use olp identity provider enable <provider HRN> to enable SAML identity provider

Note

org is a placeholder for the ID of your organization.

Save these HRNs to use below.

Show the details of the SAML identity provider

To verify that the identity provider has been created successfully, you can use the olp identity provider show command.

olp identity provider show hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d
HRN               hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d
name              Okta Login
idpTemplateId     okta
entityId          https://www.example.com/mySso
ssoLoginUrl       https://here.example.com/sso/saml
created           2023-01-21T17:32:28Z
enabled           false
callback          https://account.here.com/saml/callback
spMetadataUrl     https://account.api.here.com/identityProvider/aHJuOmhlcmU6YWNjb3VudDo6b3Jn/metadata
spCertificateUrl  https://account.api.here.com/identityProvider/aHJuOmhlcmU6YWNjb3VudDo6b3Jn/cert

Enable the SAML identity provider

The identity provider will be disabled when first created. You need to enable it for your users to be able to log in with your identity provider. After enabling the identity provider, the realm will support SSO logins only.

olp identity provider enable hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d
SAML identity provider hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d has been enabled. Now the realm hrn:here:account::org:realm/org supports SSO logins only

Note

This will change your organization's login method to SSO logins.

If you want to support both SSO and password login methods, use --with-password-login option

olp identity provider enable hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d --with-password-login
SAML identity provider hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d has been enabled. Now the realm hrn:here:account::org:realm/org supports both SSO and password logins

Note

This will change your organization's login method to SSO and password logins.

If you want to switch back to SSO only login method, you can enable the identity provider without --with-password-login option.

Disable the SAML identity provider

If you don't want to use SSO logins for your organization anymore, you can disable the identity provider. This will change your organization's login method to password logins.

olp identity provider disable hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d
SAML identity provider hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d has been disabled

Delete the SAML identity provider

Once disabled, you can delete the identity provider.

olp identity provider delete hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d
SAML identity provider hrn:here:account::org:samlIdentityProvider/IDP-4451d8ed-42cd-4de1-ac16-3fa1ed7f393d has been deleted

Updated 22 days ago