The Cloud Operations team installs OneStream IdentityServer and provides an External Identity Provider Request form to gather the configuration details required to set up external IdPs. To use OneStream IdentityServer, you must:
-
Upgrade your OneStream Software environment to the latest version.
-
Use OIDC or SAML 2.0 compliant external IdPs or OIS native authentication.
-
Partner closely with OneStream Software and the Cloud Operations team to integrate your identity providers, manage user data, and run tests.
See About Environment Configuration and What to Expect.
About Environment Configuration
Work with the Cloud Operations team to configure your environment and ensure all requirements are met.
Each OneStream environment can be uniquely configured for an SSO identity provider (IdP), with OneStream IdentityServer being one option. As a best practice, development, test, and production environments should have consistent configurations to simplify maintenance and migrations. When you deploy the OneStream IdentityServer, the first IdP is configured, as shown below, to seamlessly support OneStream IdentityServer for authentication. The IdP is configured:
-
As the same type.
-
So OIS IdP Display Name matches the existing External Authentication Provider label.
If the SSO IdP method differs between environments, ensure that the OIS IdP Display Name and the External Authentication Provider properties match. This ensures that you can migrate security between environments using the Load/Extract feature.
What to Expect
This section identifies what new and current customers can expect when adopting the OneStream IdentityServer.
New Customers
Cloud Operations installs OneStream IdentityServer and provides an External Identity Provider Request form that you complete to supply the configuration details required to set up IdPs for a OneStream environment. One of these properties is the OIS IdP Display Name, which:
-
Is assigned as the external authentication provider to users created in OneStream.
-
Dynamically determines the IdP with which users are associated. This determines the user login sequence. See The End User Experience.
Add identity providers in the Identity & Access Management Portal. See Identity Providers. Log a Support request if needed.
Existing Customers
When Cloud Operations convert an environment for OneStream IdentityServer:
-
The current IdP is initially used as the first OneStream identity provider.
-
Your environment is converted based on current legacy IdP configurations and current security settings.
You can authenticate users with OneStream IdentityServer when the OIS IdP Display Name matches the existing External Authentication Provider name. If these properties do not match, modify each user account to assign the appropriate IdP.
Work with the Cloud Operations team to ensure each identity provider has been migrated.
To use another external IdP, add an identity provider in the Identity & Access Management Portal. See Identity Providers. Log a Support request if needed. You can also request to revert to your original configurations if needed.
If there are multiple identity providers with the same name in the External Authentication Provider drop-down menu, contact Support to remove the current legacy identity provider.