Skip to main content
Skip table of contents

Managing Users and Roles in the IGEL Customer Portal

This article describes how to invite users, cancel or renew invitations, and add roles to a user or remove roles in the IGEL Customer Portal. Also included is a description of how to use Okta or Ping as federated identity providers (IdP) for logging in to your IGEL Cloud Services accounts. 

Roles and Permissions

In the IGEL Customer Portal, you can find the following roles:

  • Super Admin

    The first account you register in the IGEL Customer Portal > Register is your Super Admin account. For details on registration, see Using the IGEL Customer Portal

    image-20240704-125431.png

    The Super Admin is the first user to register any new account.

  • Account Admin

  • OBS Admin

  • UMS Admin

  • Customer Support Account Manager

The users with these roles have the following permissions:


Super Admin

Account Admin

OBS Admin

UMS Admin

Customer Support
Account Manager

Account Management

View account

(tick)

(tick)




User Management

View users

(tick)

(tick)




Invite users

(tick)

(tick)




Add / remove user roles

(tick)

(tick)




OBS IdP (Onboarding Service Identity Provider)

Register IGEL OS IdP

(tick)


(tick)



Use OBS instance

(tick)


(tick)



IGEL OS Onboarding

Register OBS instances

(tick)


(tick)



View OBS attributes

(tick)


(tick)



Use OBS attributes

(tick)


(tick)



Create OBS attributes

(tick)


(tick)



Add / change OBS attributes

(tick)


(tick)



UMS Management

View UMS instances

(tick)



(tick)


Use UMS instances

(tick)



(tick)


Create UMS instances

(tick)



(tick)


Add / change UMS instances

(tick)



(tick)


Support / Case Management

View support cases

(tick)




(tick)

Submit support cases

(tick)




(tick)

View RMA cases

(tick)




(tick)

Submit an RMA case

(tick)




(tick)

Submit reset key cases

(tick)




(tick)

Submit license question cases

(tick)




(tick)

Inviting a User and Assigning a Role

In the following example, we will invite a new user and make this user an OBS administrator.

  1.  Open the IGEL Customer Portal, log in to your admin account, and select Users > User & Role Administration.


  2. Select Invite new user.


  3. Provide the data of the new user:

    • First name: First name of the user

    • Last name: Last name of the user

    • E-mail (required): E-mail address of the user

    • Language: Preferred language for the user


  4. Select OBS Admin as the role and click Submit.

    The invitation mail is sent to the user. 
    The list of users is displayed; it includes the newly added user.

    When the user accepts the invitation, the account is created, and the role is assigned. (If the user declines, the account is not created.)
    The Super Admin receives a confirmation e-mail.

Canceling and Resending Invitations

You can cancel or resend pending invitations if you have one of the following roles:

  • Super Admin

  • Account Admin

Pending invitations older than 30 days will be deleted automatically. If an invitation has been deleted, you can create a new one.

  1. Open the IGEL Customer Portal, log in to your admin account, and select Users > Overview.

    The users are listed.

  2. Find the relevant user and click on Resend or Cancel, as appropriate.

Adding a Role to an Existing User

  1. Open the IGEL Customer Portal, log in to your admin account, and select Users > User & Role Administration.


  2. Select Add additional role.


  3. Select one or more users that should be assigned the role.


  4. Select OBS Admin as the additional role and click Submit.

    The updated list of users is displayed.

Removing a Role / Deactivating a User

You can remove one or more rules from a user. If you deactivate a user, the account is deleted. No e-mails will be sent to this account anymore.

  1. Open the IGEL Customer Portal, log in to your admin account, and select Users > User & Role Administration.


  2. Select Remove role.


  3. Select the user from whom you want to remove a role.


  4. Select the role you want to remove from the user.


  5. Click Submit to confirm the change.

Using Okta as Federated Identity Provider

Setting Up an App Integration in Okta

For federating identities from Okta to Azure Active Directory (AAD), which is used in IGEL Cloud Services, you must set up an application integration in your Okta tenant. For this purpose, we will create a SAML 2.0 application.

  1. Log in to your administrator account at Okta, go to Applications, and click Create App integration.


  2. Select SAML 2.0 and click Next.


  3. Define an App name and, optionally, an App logo, and click Next.


  4. Edit the SAML connection details as follows:

    • Single sign on URL: Enter https://login.microsoftonline.com/login.srf

    • Use this for Recipient URL and Destination URL: Activate this checkbox.

    • Audience URI (SP Entity ID): Enter urn:federation:MicrosoftOnline

    • Application username: Set this to Email.


  5. Add the following attributes:

    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressValue: user.email

    • Name: NameID FormatValue: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent


  6. Finish your app integration.

Extracting the SAML 2.0 Connection Data

In this step, we will extract the connection data which will be used for creating an external identity that will be used for the IGEL Onboarding Service (OBS).

  1. Open the settings for your application and select Sign On.


  2. Click on the link Identity Provider metadata to download the data we will use afterward for configuring the IGEL Onboarding Service (OBS). The data is contained in an XML file. Also, note down the URL from this link, as we will need it later on.
    Example metadata file:

    be0caf0b-39f6-4b02-9a6c-591693f9bd21.png

Configuring Okta as Your Federated IdP

  1. Open the IGEL Customer Portal, log in to your admin account, and select Users > Bring your IdP.


  2. Enter the following data from your metadata file:

    • Issuer URI: Value of the attribute entityID of the element <md:EntityDescriptor>

    • Passive authentication endpoint: Enter the value of the Location attribute of the <md:SingleSignOnService> element.

    • Metadata URL: Enter the URL of the link Identity Provider metadata you have used before to download the metadata file.

    • Domain name of federating IdP: The part of Passive authentication endpoint before the /app/ without the https://. Example: mycompanydomain.okta.com


  3. Under Associated Domains, add the domains that will be associated with your federate IdP.

    7fa100bc-20ee-4625-8dcd-d0cef3999142.png


  4. Under Certificate, paste the content of the <ds:X509Certificate> element and then click Submit.

    87e4bfa6-07dd-45c0-9b32-eefebc5053d7.png
    d7297636-5f27-4865-af7d-221988156413.png


Assigning the Application to the Users

In the final step, we will assign the relevant users to the application we have created. When this is done, these users will be able to onboard their devices to the UMS in their company network.

You can assign groups of users or single users.

  1. In your Okta application, select Assignments.

    6e42644b-1976-45c3-a101-d172b0819fd4.png


  2. Assign the users to our new application.

Using Ping as Federated Identity Provider

Setting Up an App Integration in Ping

For federating identities from Ping to Azure Active Directory (AAD), you must set up an application integration in your Ping tenant. For this purpose, we will create a SAML 2.0 application.

  1. Log in to your account at Ping, go to Connection > Applications, and then add an application.


  2. Enter an Application Name, select SAML Application as the application type, and then click Configure.


  3. In the SAML Configuration dialog, select Manually Enter and enter the following data:

    • ACS URLs: Enter https://login.microsoftonline.com/login.srf

    • Entity ID: Enter the prefix https://login.microsoftonline.com/ followed by the Azure Active Directory tenant ID. 


  4. Create the application.

  5. Edit/create the following attribute mappings:

    • Map saml_subject to User ID.

    • Create the identifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and map it to Email Address.


  6. Finish the application setup.

Obtaining the SAML 2.0 Connection Data

In this step, we will get the connection data which will be used for creating an external identity that will be used for the IGEL Onboarding Service (OBS).

→ Open the settings for your application and select Configuration.
The relevant data is shown and can be copied to the clipboard.

78e77d9c-e3d7-4cc0-999f-81f355450105.png
78e77d9c-e3d7-4cc0-999f-81f355450105.png
78e77d9c-e3d7-4cc0-999f-81f355450105.png


Configuring Ping as Your Federated IdP

  1. Open the IGEL Customer Portal, log in to your admin account, and select Users > Bring your IdP.


  2. Enter the following data from your metadata file:

    • Issuer URI: The Issuer ID from the Ping Configuration page.

    • Passive authentication endpoint: The value of Single Signon Service from the Ping Configuration page.

    • Metadata URL: The IDP Metadata URL from the Ping Configuration page.

    • Domain name of federating IdP: Enter the domain name that is associated with your Ping account.




JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.