Authentication for Identity Providers (IdP)
Calyx RIM supports authentication of users in the system when they are spread across multiple Identity Providers (IdP).
Consider the following when using a multiple IdP configured system:
- Calyx RIM can be configured as a multiple IdP system only when SSO is enabled.
- Multiple IdP support is possible when users are spread across the following combination of IdPs. One IdP is configured in the var/configuration file and a client IdP is in Security Administration in
Calyx RIM:
- Azure AD and Azure AD (two similar active directories )
- Azure AD and Okta (two distinct active directories )
- Azure AD and PingOne (two distinct active directories)
- Only one IdP can be configured in the configuration file.
- In a multiple IdP configured system, there can only be one Default Admin User in the Calyx RIM configuration file that is authenticated against the IdP in the configuration file.
- In a multiple IdP configured system, Parexel support personnel and the Default Admin User exist in the IdP configured in the var/configuration file.
- Calyx RIM provides the ability to add additional IdPs from the Calyx RIM Security Administration page.
- The Identity Providers link becomes available on the Security Administration page only when Calyx RIM is configured as a multiple IdP system.
- There can be only one active IdP in Calyx RIM Security Administration. To add another IdP using the Identity Providers link, the active IdP must be disabled.
- Any user with the role of Security Administrator can add/activate/deactivate an IdP in the Security Administration section in Calyx RIM.
- When adding an IdP from the Security Administration page, the server must be restarted for it to recognize the newly added IdP.
- The Default Admin user provisions the Secondary Admin user (client user with the role of Security Administration) from the Security Administration page.
- The Default Admin user can provision the Secondary Admin user from the client IdP only when there is an active IdP present in the Calyx RIM system.
- The Default Admin user can also provision a Security Admin (Parexel Personnel) user from the IdP configured in the insight.var file.
- As a multiple IdP configured system, Calyx RIM authenticates all secondary admin/general users against the active IdP in the Calyx RIM Security Administration section. If the Secondary Admin has not been provisioned by the Default Admin user, then the login attempt will fail.
- In a multiple IdP configured system, if all the named user licenses are in use, the Login page displays the following error message "All named user licenses are in use. Please contact Parexel support personnel for the additional licenses".
Note: The license does not limit the login attempts for the IdP configured in your insight.var file and for the default admin users.
- If the device limit per named user is reached by a user and that user opens a new session on another device, sessions on the device with the oldest session are terminated, when that user performs any action in a new session.
- If the maximum number of sessions allowed per user is reached by a user, and that user opens a new session, the oldest session is terminated.
Note:
- Session/Device limitations are effective only when the enable.user.session.limit is set o True.
- In a multiple IdP configured system, session/device limitations do not affect the IdP configured in the insight.var file and the Default Admin user.