For onboarding your users and devices, IGEL Cloud Services need to know your UMS and your users. The UMS is identified and authenticated by its fully qualified domain name (FQDN) or IP address and its root certificate. The users are authenticated by an external identity provider (IdP). For that, we are using the OpenID Standard to obtain user information and the standardised OAuth 2.0 authorisation protocols. Please follow our instructions to register the OBS as an app in your Microsoft Entra ID, Ping Identity, Okta or other IdP. 

If you want to register your remote IGEL OS 12 devices via IGEL Onboarding Service and you use IGEL Cloud Gateway (ICG), you need to connect the IGEL Onboarding Service not with the UMS, but with the ICG. The ICG version 12.01 or higher is required.

The configuration of the Onboarding Service is done in the followings steps:

  1. Activating the Onboarding Service (OBS)

  2. Configuring the Identity Provider

  3. Downloading the Root Certificate Chain of the UMS / ICG: The root certificate chain is needed for defining the route to the appropriate UMS / ICG. 

  4. Creating the Record Set for the OBS Routing: Define the route to the appropriate UMS / ICG. This includes linking our Microsoft Entra ID user to the UMS / ICG.

Activating the Onboarding Service (OBS)

The activation of the Onboarding Service (OBS) is required once and must be performed by one person from the company account. Once activated, the OBS can be managed by every user with the appropriate rule.

  1. Log in to the IGEL Customer Portal .

  2. From the menu, select Activate IGEL OS Onboarding.

Configuring the Identity Provider

For the instructions on how to register the OBS as an app in your Microsoft Entra ID, Ping Identity, or Okta, see:

Downloading the Root Certificate Chain

If your UMS is to be connected directly to your endpoint devices, you download the certificate chain of the UMS; see Of the UMS. If your UMS is to be connected via ICG, you download the certificate chain of the ICG; Of the ICG.

Of the UMS

  1. Open the UMS Web App of the UMS at which our OBS routing will be directed, select Network and click .


  2. Select the tab IGEL OS Onboarding and copy UMS Hostname and UMS Port.

  3. Click Download Certificate Chain.

    The certificate file is downloaded to your file system. In the following step, we will use it for the OBS routing. 

Of the ICG (Required Only If the OBS Is Used with the ICG)

  1. In the UMS Web App > Network, navigate to the IGEL Cloud Gateway area and select the ICG server to which you want to connect the OBS.

    If you have multiple ICG servers, it is possible to direct the OBS routing to one server only.
  2. Copy the data from the fields External Address and External Port.


  3. In the UMS Console, go to UMS Administration > Global Configuration > Certificate Management > Cloud Gateway.

  4. Export each certificate of the ICG's chain except for the end certificate: Right-click the certificate and select Export certificate in the context menu.


  5. Copy the contents of each exported certificate in one file (the order of the certificates does not matter) and save the file as icg_chain.crt
    Example:
    -----BEGIN CERTIFICATE-----
    MIIFPTCCAyWgAwIBAgIFAIGKvrEwDQYJKoZIhvcNAQELBQAwVzEkMCIGA1UEAwwbSUQtLTQ5NzE2
    LTE2ODE5NzkyNDEwOTYtOC0wMQ0wCwYDVQQKDARJR0VMMRMwEQYDVQQHDAoxNDAxODM1MDYyMQsw
    ......................................
    jqzhUGI+dZyTguXkzM2T4ACJUVm7G3mWDSCuMpt5laaE8kGEB2J6cbY9qV4QA5giCKFO1PgJ6mQZ
    3kDHoNX9DlKSyJtAWS6CJaaGWMWX0wtuyEQ5sZ81UhGKnQ==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFMDCCAxigAwIBAgIFAPAz/aEwDQYJKoZIhvcNAQELBQAwVzEkMCIGA1UEAwwbSUQtLTQ5NzE2
    LTE2ODE5NzkyNDEwOTYtOC0wMQ0wCwYDVQQKDARJR0VMMRMwEQYDVQQHDAoxNDAxODM1MDYyMQsw
    .......................................
    wy/0Y3S4LVHhWtAiT1dBza97uWk9zKL65HbwPFwwZ021Pjb2NaWJPL+OEAHPpk5eamCmFzJeUQqe
    0pwHv6AgvJyfEuxsMHURs98psMhW
    -----END CERTIFICATE-----


Creating the Record Set for the OBS Routing

  1. Change to the IGEL Customer Portal and select Configure Services > IGEL OS Onboarding.


  2. Click Register IGEL OS Onboarding to create a new routing data record.


  3. Enter the following data:
    • Display Name: Display name for the UMS to which our user's device will be routed.

    • UMS Hostname: Hostname (Fully Qualified Domain Name) or IP address of the UMS; this is the hostname or IP address by which the UMS can be reached by the endpoint devices.
      If your endpoint devices are connected via the ICG, use the External Address of the ICG as described above.

      UMS Hostname is case-sensitive and should be written exactly as in the UMS.

    • UMS Port: Port under which the UMS can be reached. The default port of the UMS web server is 8443. For details on the ports used by the UMS, see IGEL UMS Communication Ports.
      If your endpoint devices are connected via the ICG, use the External Port of the ICG as described above.


  4. Proceed by adding individual users or one or more domains that include all e-mail addresses of these domains.
    • To add an individual user, click Add in the area Mapped Users.


    • To add a domain, click Add in the area Mapped Domains.


  5. In the dialog, enter the e-mail address of the user we have created in Microsoft Entra ID or the relevant domain and click Add.

  6. Click Required - Upload to upload the UMS root certificate chain.
    If you want to use the OBS with the ICG, use here the file icg_chain.crt you obtained as described above.


  7. Choose the certificate file on your file system.
    The certificate file is uploaded.


  8. Click Submit to create the OBS routing data record.

    After a few seconds, the new data record is ready. 

  9. If you want to review the record or make changes, just click somewhere in the record.


    The details are displayed.

    You can update the certificate and update/add associated e-mails.

    The user can now be onboarded. The onboarding process from the user's view is described under Onboarding IGEL OS 12 Devices.