New Identity Provider - kmd-identity/documentation GitHub Wiki

If you represent a KMD Product (see: Who can use KMD Identity?) and would like to use KMD Identity to federate with an Identity Provider (IdP) that is not currently in the list of IdPs, an integration (aka "trust") needs to be established between KMD Identity and the IdP before it can be enabled for any of the applications you have registered with KMD Identity.

Standard process to establish an integration to a customer IdP

Prerequisites: The Customer wants to use their own IdP to log into a KMD Product via KMD Identity. The IdP must support the SAML 2.0 protocol.

  1. The KMD Product sends the Documentation for IDPs document to their customer. It describes the technical requirements and what they need to do if they accept those requirements.

Note: If the KMD Product wants to receive claims beyond the default set described in that document they must communicate that requirement to their customer as well.

  1. The KMD product sends an email to [email protected] stating:
  • Name of the customer.
  • Type of integration:
    • Standard (standard claims and any KMD product may use it)
    • Product-specific (the KMD Product that requested the integration decides who gets to use it and decides with the Customer which claims are issued).

  1. The Customer sends an email with a link to the metadata endpoint of their IdP to the [email protected] mailbox.

  2. KMD Identity uses the metadata link to configure a trust from KMD Identity to the customers IdP.

  3. KMD Identity replies to the customer email with a link to a KMD Identity metadata endpoint that they must use to setup the trust in their IdP to KMD Identity. Included in the email is guidance on how the customer can test the integration using our test applications and a request to send us the results of the test.

  4. The Customer registers a trust in their IdP to KMD Identity using the metadata link from the previous step. At this point, if the customer has questions or encounters some issue while setting up the trust KMD Identity will assist them.

  5. The Customer performs a test, logging into one of the test applications using the new integration and sends the test results to [email protected].

  6. KMD Identity verifies the results of the test:

  • If the results indicate an issue: KMD Identity assists the customer in fixing the issue.
  • If the results indicate success: KMD Identity adds the IdP to the list of IdPs, and reports back to the KMD Product and the customer that the integration is now ready for use.
  1. The KMD Product can then request to have the IdP enabled for any of the applications they have registered with KMD Identity.

Establishing an integration to a KMD Product IdP

If a KMD Product has their own IdP (for example, they might have an Azure AD with test user identities) and would like to use it via KMD Identity, this can be arranged as well.

Simply follow the standard process for customers above, but with the KMD Product also performing the role of the customer. Instead of using the mailbox, communication can in this case optionally be done by contacting KMD Identity instead.

Establishing an integration to a non-customer IdP

There is no standard process to establish integrations to IdPs that are not owned by a customer. Such as social media platforms or a national "eID" of a foreign nation. If a KMD Product would like KMD Identity to establish such an integration, please contact us with information about the IdP.

Do note that the KMD Product that needs such an integration will be expected to perform the contractual work required to use the IdP and to cover any expenses billed by the IdP. KMD Identity will only perform the technical work required to create the integration between KMD Identity and the IdP.

Feedback

If you have suggestions how we can improve these processes we welcome feedback and would like to hear from you.