Skip to main content
Note: If you set up an External Identity Provider, the Resource Owner Password Credentials authentication flow will not work.
To set up an External Identity Provider for a tenant in Vantage, follow these steps:
  1. Configure the External Identity Provider (Configuring an OAuth 2.0 External Identity Provider or Configuring a SAML 2.0 External Identity Provider). Prepare your external authentication parameters described in these sections.
  2. Test configured external authentication.
  3. In ABBYY Vantage, click the Configuration tab in the left pane.
  4. Click Identity Provider and choose External Identity Provider.
  5. In the drop-down list, select the desired protocol (OAuth or SAML option).

Setting up an OAuth 2.0 External Identity Provider

Fill in the Identity Provider, Identity Provider URL, and Client ID fields. You can also set up an email address domain for the tenant users which will be associated with your tenant. Identity Provider OAuth Configuration To establish a secure connection with an External Identity Provider other than an Active Directory or Azure Active Directory Identity Provider, your client secret may be required. If this is the case, select Other in the Identity Provider field and enter your client secret in the Client Secret field. 
FieldDescription
Identity ProviderSpecifies sign-on authentication via the Active Directory or Azure Active Directory Identity Provider.
Identity Provider URLURL of the Identity Provider.
The URL can be found in the Azure portal in the Endpoints section of the application you have registered for authentication.
Client IDClient identifier of the configured Active Directory or Azure Active Directory Identity Provider.
Associated E-mail DomainsAssociated e-mail address domain for the tenant users who should be able to log in to the tenant, even if they don’t have a Vantage account yet. For more information, see Associated e-mail domains.

Setting up a SAML 2.0 External Identity Provider

Fill in the Federation Metadata Document URL field. You can also set up an e-mail address domain for the tenant users which will be associated with your tenant. Identity Provider SAML Configuration
FieldDescription
Federation Metadata Document URLSpecifies sign-on authentication via the Active Directory or the Azure Active Directory Identity Provider.
Associated E-mail DomainsAssociated e-mail address domain for tenant users who should be able to log in to the tenant, even if they don’t have a Vantage account yet. For more information, see Associated e-mail domains.
  1. Click Apply Changes.
Note: If you want to reset or revert to Vantage Identity Provider, you can always select Vantage on this page and click Apply Changes. This applies as long as the user’s current session (access token) has not expired. If it expires, you will need to authenticate through the configured External Identity Provider to get access to the tenant. In this case, contact your System Administrator.

Setting up a Default Role for New Users

You can configure a default role for users who are automatically created through an external identity provider.   To set up a default role for new users in ABBYY Vantage, follow these steps:  
  1. In ABBYY Vantage, click the Configuration tab in the left pane.  
  2. Click Identity Provider and select External Identity Provider.  
  3. In the drop-down list, locate Default Role for New Users.  
  4. Select one or multiple roles to automatically assign to all newly created users for your tenant.  
  5. Click Apply Changes.  
Notes
  • The selected role(s) will automatically apply to all newly created users for your tenant.  
  • For each selected role, the Allow all for current and further skills toggle is enabled by default. This provides users with access to all skills as a starting configuration. Administrators can modify these permissions at any time in the Users configuration screen.  
  • To learn more about available roles and permissions, see Authentication using an External Identity Provider

Configuring a SAML 2.0 External Identity Provider without an XML file URL

You can configure Vantage to use a SAML 2.0 External Identity Provider by copying the contents of your XML metadata file to the Vantage API request. The contents of XML file should contain the information necessary for interacting with SAML-enabled Identity Providers. To configure a SAML 2.0 External Identity Provider via the Vantage API, do the following:
  1. Authorize in the Vantage API (see Authentication documentation for details).
  2. Send a PUT request with the Authorization = Bearer <access token> header to https://<your-vantage-url>/api/adminapi2/v1/tenants/<tenantId>/external-providers/ with the following request body parameters:
ParameterDescription
kindThe protocol used. The value of the parameter is Saml2.
settings.MetadataThe contents of your XML metadata file.
Sample request: 
curl --location --request PUT "https://<your-vantage-url>/api/adminapi2/v1/tenants/<tenantId>/external-providers/"
-H "Authorization: Bearer <token>"
{
  "providerSettings": {
    "kind": "Saml2",
    "settings": {
      "Metadata": "<SAML XML file contents>"
    }
  }
}

curl --location --request PUT 'https://<your-vantage-url>/api/adminapi2/v1/tenants/<tenant-id>/external-providers/'
-H 'Authorization: Bearer <token>'
{
  'providerSettings': {
    'kind': 'Saml2',
    'settings': {
      'Metadata': '<SAML XML file contents>'
    }
  }
}