Deleting SAML2 in "Identity and Authentication"

Hello,

in the user configuration, the Authentication provider for all the users is set as "SAML2".
Me and my client were wondering how might afftect users if in "Appliance Management ->Safeguard Access -> Identity and Authentication" we delete SAML2. 
It's set SAML2 as "External configuration" and we also have active directory. 
Would their authentication provider swap automatically to active directory credentials?

Thank you

  • Is it possible to change "External federation" which appears in the login page and for example setting it as "Azure" or "SAML2"?
    In "Appliance Management ->Safeguard Access -> Identity and Authentication" it's not possibile to change apparently.
    Thank you

  • Hi,

    No, the authentication provider must be updated on the Users level separately before you can delete the other external federation provider.

    Thanks!

  • Currently no option to rename the label in the drop down but you could set an option via Core API to ForceAsDefault one of the authentication providers for example:

    Login to the SPP Core API:
    https://<safeguard>/service/core/swagger

    - Expand the AuthenticationProviders endpoint
    - Find the ID for the Authentication Provider
    GET ​/v4​/AuthenticationProviders > Gets a queryable list of authentication providers

    - Set the Authentication provider ID for your AD login for example as default:
    POST ​/v4​/AuthenticationProviders​/{id}​/ForceAsDefault

    The description from Swagger Core API below might get you closer to a seamless login:

    ---

    When ForceAsDefault is set to {true} on a provider, the login page will not display a drop down list of all available providers. Instead, the end user will be defaulted in to using the specified provider. Only one provider can be marked as the default at a time. When updating the specified provider, any previously set default will be cleared. <br>If a default provider is set and you need to log in using some other provider, like the Safeguard Local provider in order to log in as a local administrator user, a query string parameter can be appended to the login page URL, 'primaryProviderID', where the value is set to the 'RstsProviderId' you need. For example, "https://<safeguard>/RSTS/Login?response_type=token&redirect_uri=https%3A%2F%2F<safeguard>%2F&primaryProviderID=local". You cannot set a provider that is used for two-factor authentication as the default.<br>This functionality is only applicable to web browser based logins, not programmatic API/OAuth2 logins.

    ---

    Thanks!

  • Hello,

    Thank you for your replies.

    So it's not possible to launch an API in order to change the authentication provider per all the users?

    Thank you

  • if the users were pulled from a Directory User group then you can set the authentication provider at the group level then use the API call to sync the updated authentication provider to the member users.

    Here is a KB reference:
    https://support.oneidentity.com/one-identity-safeguard-for-privileged-passwords/kb/4371032/how-to-change-authentication-settings-on-existing-safeguard-users

    Thanks!