OT2 Admin Center · 2021. 6. 23. · If you are using Azure Active Directory, you can synchronize...

OT2 Admin Center Tenant Administrator Guide

Contents

1 OpenText™ OT2 Tenant Admin..........................................................................4

2 Getting started..............................................................................................................4

2.1 Managing your tenants and subscriptions..........................................................42.2 Understanding the tenant and subscription administrator roles.................42.3 Assigning users to subscriptions...........................................................................5

2.3.1 Assigningsubscriptionsthroughauto-provisioning..................................52.3.2 Assigningsubscriptionsthroughuserandgroupsynchronization........52.3.3 Invitinguserstosubscriptions........................................................................6

2.4 Browsing to the tenant and subscription levels.................................................62.5 Preparing to set up your tenant and manage subscriptions..........................6

2.5.1 Understandingauthenticationschemes......................................................72.5.2 Preparingtoconnectappstoon-premisesapplications

andservices.......................................................................................................92.5.3 Choosingatenantandsubscriptionadministratorsfor

yourtenant.......................................................................................................... 102.6 Sample workflow: setting up your tenant and managing subscriptions.... 10

2.6.1 Tosetupyourtenantandmanagesubscriptionsforthefirsttime:...... 102.7 Opening subscriptions and apps from the

My Apps page.............................................................................................................. 112.7.1 ToopensubscriptionsandappsfromtheMyAppspage:....................... 11

3 Configuring authentication settings............................................................12

3.1 Configuring an authentication scheme for your tenant.................................. 123.1.1 Toconfigureanauthenticationschemeforyourtenant:......................... 12

3.2 Creating and managing partitions......................................................................... 133.2.1 Creatingandconfiguringapartition............................................................. 143.2.2 Viewingpartitiondetails.................................................................................. 173.2.3 Viewingpartitionusersandgroups............................................................... 173.2.4 Removingasubscriptionfromapartitionyoucreated............................. 183.2.5 Deletinganauthenticationschemefromapartitionyoucreated.......... 193.2.6 Deletingapartitionyoucreated..................................................................... 193.2.7 ManagingtheNativepartition........................................................................ 19

3.3 Setting up SSO with an identity provider.............................................................233.3.1 Settingupauto-provisioning...........................................................................233.3.2 SynchronizingAzureActiveDirectoryusersandgroups

withAdminCenter...........................................................................................233.4 Setting up the Tunnel Agent....................................................................................303.5 Generating client credentials....................................................................................30

3.5.1 GeneratingclientcredentialsfortheTunnelAgent...................................313.5.2 GeneratingclientcredentialsforAzureActiveDirectory.........................323.5.3 Changingtheexpiryperiodsorpartitionforaccesstokens....................333.5.4 Regeneratingaclientsecretvalue................................................................33

4 Configuring connection settings....................................................................34

4.1 Configuring repository connection settings.......................................................344.1.1 Toconfigureconnectionsettingsforarepositoryother

thanDocumentum:............................................................................................344.1.2 ToconfigureconnectionsettingsforaDocumentumrepository:..........35

5 Managing your tenant..............................................................................................35

5.1 Managing subscriptions...........................................................................................355.1.1 ToopentheSubscriptionspage:...................................................................35

5.2 Customizing Admin Center emails........................................................................365.2.1 Customizingtheimagedisplayedinemails.................................................365.2.2 Customizingthereplyaddressandsendernameinemails....................36

5.3 Viewing tenant details...............................................................................................37

6 Managing users and groups...............................................................................38

6.1 Adding and removing tenant administrators......................................................386.1.1 Addingatenantadministrator........................................................................386.1.2 Resendingemailinvitations.............................................................................396.1.3 Removingatenantadministrator...................................................................39

6.2 Managing tenant users...............................................................................................396.2.1 Viewinguserinformation.................................................................................406.2.2 Disablingandenablinguseraccounts..........................................................406.2.3 Unlockinguseraccounts.................................................................................416.2.4 Resettingusertwo-factorauthenticationsettings....................................416.2.5 Movinguserstoadifferentpartition.............................................................42

6.3 Understanding the Tenant column on the Tenant admins

and Tenant users pages...........................................................................................436.4 Understanding tenant groups.................................................................................44

6.4.1 Creatingatenantgroupmanually.................................................................446.4.2 Editingthenameanddescriptionofamanually

createdtenantgroup........................................................................................466.4.3 Deletingamanuallycreatedtenantgroup...................................................46

OT2 Admin Tenant Administrator Guide

1 OpenText™ OT2 Tenant AdminOT2AdminCenterprovidesTenantAdministratorsaunifiedinterfacetosupporttheintuitivecontrolofapplications,subscriptions,usersandtheiraccess.InOT2AdminCenter,youcanconfiguresettingsatthetenantandthesubscriptionlevel.Tenantadministratorsmustbesetupbeforemanagingsubscriptionsatasubscriptionadministratorlevel.

ThisguideprovidesanoverviewofhowtenantadministratorscanuseOT2AdminCentertosetupyourtenantandmanageandconfiguresettingsforOT2applicationsubscriptions.Youcanaddtenantadministratorsandcreateoneormoretenantgroupstomanageusers.Youcanalsomanagesubscriptionsettingsforappsinyourtenantandassignsubscriptionstousers.

2 Getting started

2.1 Managing your tenants and subscriptions

YourAdminCentertenantcontainsalloftheOT2appsubscriptionsthatyoucanassigntousersinyourorganization.Eachsubscriptionspecifiesusagedetailsforanapp,forexample,thelengthoftimeusersarepermittedtouseanapp,themaximumnumberofuserswhocansubscribetothatapp,andothersubscriptiondetailsconfiguredbyyourOpenTextAccountExecutive.

InAdminCenter,youcanconfiguresettingsattwolevels:thetenantlevelandthesubscriptionlevel.Atthetenantlevel,youcanconfigureauthenticationsettings,repositoryconnectionsettings,andothersettingsthatarecommontomultipleappsonyourtenant.Atthesubscriptionlevel,youcaninviteuserstosubscribetoapps,connectappstoexternalrepositoriesandservices,andconfigureothersubscription-specificsettings.

Youmustsetupyourtenantbeforeyoumanagesubscriptions.

2.2 Understanding the tenant and subscription administrator roles

InAdminCenter,twotypesofadministratorrolesareavailable:tenantadministratorsandsubscriptionadministrators.

TenantadministratorscanperformthefollowingtasksinAdminCenter:

•Manageallofthesubscriptionsonatenant.

•Configuresettingsthatarecommontoallsubscriptionsonatenant,forexample,connectionsettings.

4Needmorehelp?VisittheOT2AdminCenterforum

https://forums.opentext.com/forums/support/categories/admin-center


5

SubscriptionadministratorscanmanageonlythesubscriptionsthatatenantadministratororanothersubscriptionadministratorhasmadeavailabletotheminAdminCenter.

AtenantadministratormustsetupanAdminCentertenantbeforesubscriptionadministratorscanmanagesubscriptions.

Tenantadministratorscanaddanynumberoftenantandsubscriptionadministratorstoatenant.Subscriptionadministratorscanalsoaddanynumberofsubscriptionadministratorstosubscriptions.

2.3 Assigning users to subscriptions

Youcanassignsubscriptionstousersinthefollowingways:

•Bysettingupauto-provisioning.

•BysynchronizinguserandgroupinformationbetweenMicrosoftAzureActiveDirectoryandAdminCenter.

•Byinvitinguserstosubscriptions.

2.3.1 Assigning subscriptions through auto-provisioning

Youcansetupauto-provisioningifyouareusinganexternalusersource,suchasMicrosoftAzureActiveDirectory,toauthenticateusersonyourAdminCentertenant.Ifyousetupauto-provisioning,usersareaddedtoyourtenantandassignedtosubscriptionsaftertheysignintotheOT2platformusingtheircredentialsfromtheusersource.

Formoreinformation,seeSetting up SSO with an identity provider.

2.3.2 Assigning subscriptions through user and group synchronization

IfyouareusingAzureActiveDirectory,youcansynchronizeuserandgroupinformationbetweenAzureActiveDirectoryandyourAdminCentertenant.Inthiscase,AzureActiveDirectoryautomaticallyrunsaprocessatregularintervalstotransferuserandgroupinformationfromyouridentityprovidertoyourAdminCentertenant.Usersandgroupsfromtheidentityproviderarethenaddedtoyourtenantandassignedtosubscriptionsautomaticallyduringthesynchronizationprocess.

Formoreinformation,seeSetting up SSO with an identity provider.

Needmorehelp?VisittheOT2AdminCenterforum



6

2.3.3 Inviting users to subscriptions

Ifyouchoosenottosetupauto-provisioningoruserandgroupsynchronization,asubscriptionadministratormustinviteuserstosubscriptionsinAdminCenter.

Inthiscase,AdminCenterautomaticallysendsanemailinvitationtoeachuserwhohasbeeninvitedtoasubscription.UserscanthenclickalinkinthatemailtocreateaccountcredentialsontheOT2platform,jointhesubscription,andaccesstheappuntilthesubscriptionexpires.

2.4 Browsing to the tenant and subscription levels

Bydefault,afteryousign-intoAdminCenterasatenantadministrator,theTenant detailspageisopenedandthelinksonthenavigationmenupointtopagesthatletyouconfiguretenantsettings.

Tobrowsetothesubscriptionlevel,clickSubscriptionsonthenavigationmenuandthenclickanyofthesubscriptionsinthesubscriptionslist.Whenyouclickasubscription,thesubscription’sDetailspageisopenedanddifferentlinksappearonthenavigationmenu.Theselinkspointtopagesthatletyouconfiguresettingsforthesubscriptionyouopened.

Tobrowsetothetenantlevelagain,clickthenameofyourtenantinthebreadcrumbtrail.

Tip

FormoreinformationabouttheTenant detailsandSubscriptionspages,seeViewing tenant detailsandManaging subscriptions.

2.5 Preparing to set up your tenant and manage subscriptions

BeforesettingupyourtenantandmanagingsubscriptionsinAdminCenter,youmustcompletethefollowingtasks:

1. Determinewhichauthenticationschemeorschemestoconfigureonyourtenant.Formoreinformation,seeUnderstanding authentication schemes.

2. Confirmthatyoursystemadministratorhasinstalledandconfiguredalloftheon-premisesapplicationsandservicesthatyourappswilluse.Formoreinformation,seePreparing to connect apps to on-premises applications and services.

3. Choosewhetheryouwanttoassigntenantandsubscriptionadministratorrolestousers.Formoreinformation,seeChoosing tenant and subscription administrators for your tenant.




7

Aftercompletingthesetasks,youcansetupyourtenantandmanagesubscriptionsinAdminCenter.Formoreinformation,seeSample workflow: setting up your tenant and managing subscriptions.

2.5.1 Understanding authentication schemes

AnauthenticationschemespecifieshowusersareauthenticatedwhentheyuseOT2apps.InAdminCenter,youmustconfiguretheauthenticationschemesthatarerequiredfortheappsonyourtenant.

Thefollowingauthenticationschemesareavailable:

Native EnablesyoutouseOpenText™DirectoryServices(OTDS)toauthenticateusers.ThisauthenticationschemeletsyouinviteuserstosubscriptionsmanuallyinAdminCenter.

Hybrid Enablesyoutouseanon-premisesusersource,suchasActiveDirectory,toauthenticateusers.Youcanusethisauthenticationschemeifyouwanttouseacontentrepositorydirectory,suchasOpenText™Documentum™Server,toauthenticateusers.

Thisauthenticationschemeletsyousetupauto-provisioningtoassignuserstosubscriptionsautomatically.

Formoreinformationabouthybridauthentication,seeOpenTextOT2HybridAuthenticationUserGuideonOpenTextMySupport.

SAML EnablesyoutouseaSecurityAssertionMarkupLanguage(SAML)identityprovidertoauthenticateusers.Youcanusethisauthenticationschemeif,forexample,youwanttoconfiguresinglesign-on(SSO)usingaSAMLauthenticationhandler.

Thisauthenticationschemeletsyousetupauto-provisioningtoassignuserstosubscriptionsautomatically.

FormoreinformationaboutconfiguringSAMLauthentication,seethedocumentationforyouridentityprovider.


https://knowledge.opentext.com/knowledge/cs.dll/fetch/2001/3551166/18207649/70481288/OT2_Hybrid_Authentication_User_Guide.pdf?nodeid=78054549&vernum=-2

https://knowledge.opentext.com/knowledge/cs.dll/fetch/2001/3551166/18207649/70481288/OT2_Hybrid_Authentication_User_Guide.pdf?nodeid=78054549&vernum=-2

https://support.opentext.com /



8

SCIM and SAML

EnablesyoutouseanidentityproviderthatsupportstheSystemforCross-domainIdentityManagement(SCIM)protocol,forexample,AzureActiveDirectory.Toauthenticateusers,youmustalsoconfigureSAMLauthenticationonyouridentityprovider.

Whenyouusethisauthenticationscheme,usersandgroupsarefirstsynchronizedbetweentheidentityproviderandyourAdminCentertenantovertheSCIMprotocol.Theuserswhoareaddedtothetenantareassignedtosubscriptionsautomatically.

Toaccessapps,userscanprovidetheiridentityprovidercredentialstosignintotheOT2platform.UsersarethenauthenticatedwiththeidentityproviderthroughSAML.

Salesforce EnablesyoutouseSalesforcetoauthenticateusers.Ifyouwanttousethisauthenticationscheme,yoursystemadministratormustintegrateSalesforcewiththeOT2EntitlementandTenantservice,createauserpartitioninOTDStosynchronizeSalesforceaccounts,andenableSSOinSalesforce.

Note

ThisauthenticationschemeisavailableonlyifyourtenanthasanAuthentication schemespage.

Eachappsupportsoneormorespecificauthenticationschemes.Todeterminewhichauthenticationschemesyouneedtoconfigureforeachapp,seetheapp-specificdocumentationonOpenTextMySupport.

InAdminCenter,youcanconfigureoneormoreauthenticationschemesbasedonthetypeoftenantthatyourOpenTextAccountExecutivehasconfiguredforyourorganization.TherearetwotypesoftenantsinAdminCenter

•TenantsthathaveanAuthenticationschemespage.

•TenantsthathaveanAuthpartitionspage.

Tip

Thelinksonthenavigationmenuindicatewhichtypeoftenantyouhave.IfanAuthentication schemes linkappearsonthenavigationmenu,yourtenanthasanAuthentication schemespage.IfanAuth Partitionslinkappearsonthenavigationmenu,yourtenanthasanAuth partitionspage.





9

2.5.1.1 Tenants that have an Authentication schemes page

IfyourtenanthasanAuthentication schemespage,youcanconfigureonlyoneauthenticationschemeonyourtenantatatimeandalloftheappsonyourtenantmustusethesameauthenticationscheme.Inthiscase,thetenantusesthenativeauthenticationschemebydefault;however,youcanchangeittothehybrid,SAML,orSalesforceauthenticationschemeasneeded.

2.5.1.2 Tenants that have an Auth partitions page

IfyourtenanthasanAuth partitionspage,youcancreatepartitionstoconfiguremultipleauthenticationschemesonyourtenant.

Forexample,ifsomeoftheappsonyourtenantrequirethehybridauthenticationschemeandotherappsrequiretheSAMLauthenticationscheme,youcancreateonepartitionfortheappsthatusethehybridauthenticationschemeandanotherpartitionfortheappsthatusetheSAMLauthenticationscheme.

Bydefault,allappsareaddedtoapartitionthatusesthenativeauthenticationscheme.IfyouwanttousethehybridorSAMLauthenticationscheme,youmustcreateadditionalpartitionsonyourtenant.Formoreinformation,seeCreating and managing partitions.

2.5.2 Preparing to connect apps to on-premises applications and services

YoucanintegratemostOT2appswithon-premisesapplications,forexample,contentrepositoriessuchasOpenText™ContentServerandOpenTextDocumentumServer,andOT2servicesthatenableyoutoretrievedata,runscheduledjobs,andperformotherspecializedtasks.

BeforemanagingsubscriptionsinAdminCenter,youandyoursystemadministratormustconfirmthatyourserverenvironmentmeetsalloftheprerequisitesfortheappsonyourtenant.Forexample,someappsmightrequireon-premisescomponentstobeinstalled.

Formoreinformationabouttheprerequisitesforeachapp,seetheapp-specificdocumentationonOpenTextMySupport.





10

2.5.3 Choosing a tenant and subscription administrators for your tenant

WhenyousignintoAdminCenterforthefirsttime,youareautomaticallysignedinasatenantadministratorand,bydefault,youaretheonlyadministratoronyourtenant.

Ifyouwanttoallowotheruserstomanageyourtenantorsubscriptionsonyourtenant,youcanassigntenantandsubscriptionadministratorrolestousers.Formoreinformation,seeAdding and removing tenant administratorsand“Adding and removing subscription administrators”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

BeforesettingupyourtenantinAdminCenter,youmustdeterminewhichusersyouwanttoaddastenantandsubscriptionadministrators.

Tip

Formoreinformationaboutthetenantandsubscriptionadministratorroles,seeUnderstanding the tenant and subscription administrator roles.

2.6 Sample workflow: setting up your tenant and managing subscriptions

ThefollowingisasampleworkflowthatyoucanfollowwhenyousignintoAdminCenterforthefirsttimeasatenantadministrator.Youcanadaptthesequenceoftheworkflowstepstosuityourneeds.

Whenyousetupyourtenantforthefirsttime,youmustconfiguresettingsatboththetenantandsubscriptionlevels.

2.6.1 To set up your tenant and manage subscriptions for the first time:

1. Dooneofthefollowing:

•IfyourtenanthasanAuthentication schemespage,configureanauthenticationschemeforyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.

•IfyourtenanthasanAuth partitionspage,optionallycreateoneormorepartitionsonyourtenant.Formoreinformation,seeCreating and managing partitions.

2. Configurerepositoryconnectionsfortheappsonyourtenant.Formoreinformation,seeConfiguring repository connection settings.

3. CustomizetheemailsthatAdminCentersendstousers.Formoreinformation,seeCustomizing Admin Center emails.


https://www.opentext.com/file_source/OpenText/en_US/PDF/opentext-userguide-subscription-administrator-help-en.pdf



11

4. [Optional]Createoneormoretenantgroupstomanageusers.Formoreinformation,seeCreating a tenant group manually.

5. [Optional]Ifyouwanttoallowotheruserstoconfigurebothtenantandsubscription-levelsettings,addtenantadministratorstoyourtenant.Formoreinformation,seeAdding a tenant administrator.

6. Configuresubscriptionsettingsfortheappsonyourtenantandassignsubscriptionstousersifrequired.Formoreinformation,see“Sample workflow: managing a subscription”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

2.7 Opening subscriptions and apps from the My Apps page

TheMy Apps pagedisplaysalloftheappsthatyouarepermittedtouseandallofthesubscriptionsthatyouarepermittedtomanage.Youcanusethispagetoviewandaccessallofyoursubscriptionsandappsfromacentrallocation.

Tip

Ifasubscriptionadministratorchangesthenameofasubscription,youwillneedtouseanewURLtoaccessthecorrespondingapp.Formoreinformation,see“Renaming your subscription”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

Inthisscenario,youcanobtainthenewappURLfromtheMy Appspage.TheMy AppspagealwayshasthelatestURLsforappsubscriptions.

2.7.1 To open subscriptions and apps from the My Apps page:

1. InAdminCenter,clickMy Appsinthebreadcrumbtrail.


•IfyouwanttoopenandmanageasubscriptioninAdminCenter,clickConfigureonthecorrespondingtile.

•Ifyouwanttoopenanapp,clicktheappnameonthecorrespondingtile.








12

3 Configuring authentication settingsYoucanspecifyhowusersareauthenticatedwhentheyusetheappsonyourtenant.

3.1 Configuring an authentication scheme for your tenant

IfyourtenanthasanAuthentication schemespage,youmustconfigureacommonauthenticationschemeforalloftheappsonyourtenant.

Note

IfyourtenantdoesnothaveanAuthentication schemespage,youcanusepartitionstoconfigureauthenticationschemes.Formoreinformation,seeCreating and managing partitions.

3.1.1 To configure an authentication scheme for your tenant:

1. Atthetenantlevel,clickAuthentication schemesonthenavigationmenu.

2. Selecttheauthenticationschemeyouwanttouseonyourtenant.Formoreinformation,seeUnderstanding authentication schemes.

3. IfyouselectedtheHybridorSAMLauthenticationscheme,dothefollowing:

a. Ifyouwanttosetupauto-provisioningonyourtenant,turnontheAuto Provisioningswitch.Bydefault,thisswitchisturnedoff.

b. IntheNamebox,typeanamefortheconnectionvalues.

c. IntheDescriptionbox,typeadescriptionfortheconnectionvalues.

d.IntheIDP URLbox,specifythesign-inURLofyouridentityprovider.Formoreinformation,contactyoursystemadministrator.

e. IfyouselectedHybrid,turnontheSecure tunnelswitchiftheappsrequiretheTunnelAgent.Otherwise,turnoffthisswitchiftheappsdonotrequiretheTunnelAgent.

Note

Ifyouturnonthisswitch,youmustcompleteadditionaltasksinAdminCentertosetuptheTunnelAgent.Formoreinformation,seeSetting up the Tunnel Agent.

f. Click Save configuration.

4. IfyouselectedtheSAMLauthenticationschemeandenabledauto-provisioning,mapSAMLassertionclaimstoOTDSattributesasneededintheCustomize claim configurationarea.




13

TypeaSAMLattributenameineachtextboxthatcorrespondstoanOTDSattributeyouwanttomap.ClickSave custom claimstosavethemappings.

ThemappingsareautomaticallytransferredtotheConfigurationpageofyourSAMLauthenticationhandlerinOTDS.Thesemappingsarethenusedtosetandupdateattributesonauto-provisionedSAMLaccounts.

Note

IfyoupreviouslyconfiguredclaimsmappingsfortheauthenticationhandlerinOTDS,theexistingmappingswillbeoverwrittenwiththenewmappingsyouconfigureinAdminCenter.

3.2 Creating and managing partitions

IfyourtenanthasanAuth partitionspage,youcancreatepartitionstoconfiguremultipleauthenticationschemesonyourtenant.

WhenyousignintoAdminCenterforthefirsttime,adefaultpartitioncalledNativeappearsonyourtenant.Bydefault,allsubscriptionsareaddedtothispartitionandusethenativeauthenticationscheme.Ifyouwanttocontinuetouseonlythenativeauthenticationscheme,youdonotneedtocreateadditionalpartitionsonyourtenant.

If,however,youwanttousetheSAML,hybrid,orSCIMandSAMLauthenticationscheme,youmustcreateanewpartitionfortheauthenticationschemeyouwanttouseandthenaddoneormoresubscriptionstothatpartition.Thosesubscriptionswillthenusetheauthenticationschemeassociatedwiththenewpartition,inadditiontothenativeauthenticationscheme.

WhenyoucreatenewpartitionsinAdminCenter,thecorrespondingpartitionsarecreatedautomaticallyinOTDS.Whenusersjoinasubscription,theusersareaddedtothepartitionassociatedwithauthenticationschemetheyusedtosignin.Formoreinformation,seeViewing partition users and groups.

Note

Ifneeded,youcanaddasubscriptiontomultiplepartitionstoallowusersfromdifferentusersourcestojointhesamesubscription.Formoreinformation,seeAdding a subscription to multiple partitions.

IfyourtenantdoesnothaveanAuthpartitionspage,youmustconfigureacommonauthenticationschemeforalloftheappsonyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.




14

3.2.1 Creating and configuring a partition

3.2.1.1 To create a partition:

1. Atthetenantlevel,clickAuth Partitionsonthenavigationmenu.

2. ClicktheAddbutton .

3. InthePartition namebox,specifyanameforthepartition.

4. [Optional]IntheDescriptionbox,specifyadescriptionforthepartition.

5. [Optional]IntheDomainbox,specifyoneormoredomainsfromwhichuserswillbepermittedtosignin,forexample,domain.com.Ifyouspecifymultipledomains,separateeachvaluewithacomma(,).

6. Ifyouspecifyoneormoredomains,userswillbepermittedtosignintoappsonthepartitiononlyiftheiremailaddressdomainmatchesadomainyouhavespecified.Ifyouleavethisboxempty,userswillbepermittedtouseanemailaddressfromanydomaintosignin.

7. TurnontheAllow Salesforce SSOswitchifyouplantousetheSAML,hybrid,orSCIMandSAMLauthenticationschemetoauthenticateSalesforceusers.

Note

Ifyouturnonthisswitch,yoursystemadministratormustintegrateSalesforcewiththeOT2EntitlementandTenantservice,createauserpartitioninOTDStosynchronizeSalesforceaccounts,andenableSSOinSalesforce.Formoreinformation,seeOpenText Directory Services – Installation and Administration Guide (OTDS-IWC)andtheSalesforcedocumentation.

8. SelectacolorforthepartitiontilethatwillbedisplayedinAdminCenter.

9. ClickSave.

3.2.1.2 To configure an authentication scheme for the partition:

1. OntheAuth partitionspage,clickthetilethatcorrespondstothepartitionyoucreated.

2. OntheAuthentication schemetab,selecttheauthenticationschemeyouwanttoassociatewiththepartition.Formoreinformation,seeUnderstanding authentication schemes.

3. IntheNamebox,specifyanamefortheauthenticationschemeconfiguration.

4. IntheDescriptionbox,specifyadescriptionfortheauthenticationschemeconfiguration.

5. Inthe Provider Namebox,specifyanametodisplayforyouridentityproviderontheAdminCentersign-inpage.

UserscanselectwhichidentityprovidertousewhentheysignintoAdminCenter.Specifyanamethatwillhelpuserstoidentifyyouridentityprovideronthesign-inpage.




15

6. IntheProvider URLbox,specifythesign-inURLforyouridentityprovider.

7. Ifneeded,configureoneofthefollowingoptionsbasedontheauthenticationschemeyouselected:

Secure tunnel

Ifyouselectedthehybridauthenticationscheme,turnonthisswitchiftheappsonthepartitionrequiretheTunnelAgent.Otherwise,turnoffthisswitchiftheappsdonotrequiretheTunnelAgent.

Note

Ifyouturnonthisswitch,youmustcompleteadditionaltasksinAdminCentertosetuptheTunnelAgent.Formoreinformation,seeSetting up the Tunnel Agent.

Sign SAML IfyouselectedtheSAMLorSCIMandSAMLauthenticationscheme,turnonthisswitchtoallowOTDStosignSAMLauthenticationrequeststhataresenttoyouridentityprovider.

Youmustturnonthisoptionif,forexample,youaresettingupSAMLauthenticationwithanidentityproviderthatacceptssinglelogoutrequestsonlyifauthenticationrequestsaresigned.

8. IfyouselectedthehybridorSAMLauthenticationscheme,turnonthe Auto Provisioningswitchtoenableauto-provisioningonthepartition.

Note

Tosetupauto-provisioning,youmustcompleteadditionaltasksinbothAdminCenterandyourserverenvironment.Formoreinformation,seeSetting up SSO with an identity provider.

9. ClickSave scheme.

10. IfyouselectedtheSAMLauthenticationschemeandenabledauto-provisioning,mapSAMLassertionclaimstoOTDSattributesasneededintheCustomize claim configuration area.

TypeaSAMLattributenameineachtextboxthatcorrespondstoanOTDSattributeyouwanttomap.ClickSave custom claimstosavethemappings.

ThemappingsareautomaticallytransferredtotheConfigurationpageofyourSAMLauthenticationhandlerinOTDS.Thesemappingsarethenusedtosetandupdateattributesonauto-provisionedSAMLaccounts.

Note

IfyoupreviouslyconfiguredclaimsmappingsfortheauthenticationhandlerinOTDS,theexistingmappingswillbeoverwrittenwiththenewmappingsyouconfigureinAdminCenter.




16

3.2.1.3 To add subscriptions to the partition:

1. OntheAuth partitionspage,clickthetilethatcorrespondstothepartitionyoucreated.

2. OntheSubscriptionstab,intheAssociated subscriptionsarea,clicktheAddbutton .

3. IntheAssociate subscriptionslist,selectasubscription.

4. ClickAssociate.

5. Repeatthepreviousstepstoaddothersubscriptionstothepartitionasneeded.

Tip

Ifneeded,youcanaddasubscriptiontomultiplepartitionstoallowusersfromdifferentusersourcestojointhesamesubscription.Formoreinformation,seeAdding a subscription to multiple partitions.

3.2.1.4 Adding a subscription to multiple partitions

Youcanaddasubscriptiontomultiplepartitionsif,forexample,youwanttoallowusersfromdifferentusersourcestojointhesamesubscriptionthroughauto-provisioning.

3.2.1.5 Example 2.1: Adding a subscription to multiple partitions

YouwanttoallowusersfrombothanActiveDirectorysystemandanOktasystemtojointhesamesubscriptionthroughauto-provisioning.Todoso,youcancreatethefollowingpartitions:

•Partition1,whichusesthehybridauthenticationschemetoauthenticateusersfromtheActiveDirectorysystem.

•Partition2,whichusestheSAMLauthenticationschemetoauthenticateusersfromtheOktasystem.

IfyouthenaddthesubscriptiontobothPartition1andPartition2,usersfromboththeActiveDirectoryandOktasystemswillbeaddedtothesubscriptionautomaticallywhentheysignintotheOT2platform.InAdminCenter,userswillbeaddedtothepartitionassociatedwithauthenticationschemetheyusetosignin.




17

3.2.2 Viewing partition details

AfterclickingapartitiontileontheAuth partitionspage,youcanclickthePartition detailstabtoviewinformationaboutthecorrespondingpartition,forexample,thepartitionname,tilecolor,andwhethertheAllow Salesforce SSOoptionisselectedonthepartition.

Onpartitionsthatyouhavecreated,thefollowinginformationalsoappearsonthetab:

•SAML metadata URL:AURLthatspecifiesthelocationoftheSAMLmetadatafile.

•SAML SSO URL:AURLthatspecifiestheSSOsign-inpageofyourSAMLidentityprovider.

•SAML login URL: AURLthatspecifiesthesign-inpageofyourSAMLidentityprovider.

•SCIM Sync URL: AURLthatspecifiesthebaseSCIMendpointforOTDS.

YoucanusetheseURLstoconfigureSSOwithyouridentityprovider.Formoreinformation,seeSetting up SSO with an identity provider.

3.2.3 Viewing partition users and groups

AfterclickingapartitiontileontheAuth partitionspage,youcanclicktheUserstaband,ifapplicable,theGroupstabtoviewalloftheusersandgroupsthatbelongtothecorrespondingpartition.

OntheNativepartition,theUserstablistsalloftheuserswhohavebeeninvitedtoasubscriptionandalloftheuserswhohavejoinedasubscriptionthroughanemailinvitation.

Onpartitionsyouhavecreated,theUsers and Groupstabslistalloftheusersandgroupsthathavebeenaddedtothecorrespondingpartitionthroughauto-provisioningoruserandgroupsynchronization.Forexample,ifausersignsintoanapponapartitionthathasauto-provisioningenabled,thatuserisautomaticallyassignedtothesubscriptionandaddedtothepartition,andtheuser’snameappearsonthepartition’sUserstab.

TheusersoneachUsers tabalsoappearonthefollowingpagesinAdminCenter:

•TheTenant userspage.Formoreinformation,seeManaging tenant users.

•TheUserspageatthesubscriptionlevel.Formoreinformation,see“Managing subscription users”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

Userswhoareaddedtoapartitionthroughauto-provisioningoruserandgroupsynchronizationarealsoaddedtothepartition’stenantgroupontheTenant groupspage.Formoreinformation,seeUnderstanding tenant groups.

Tip

Ifyouwantuserstouseadifferentauthenticationschemeoridentityprovider,youcanmoveuserstoadifferentpartitionontheTenant userspage.Formoreinformation,seeMoving users to a different partition.





18

3.2.3.1 To view partition users and groups:


2. OntheAuth partitionspage,clickatile.

3. ClicktheUserstabtoviewalloftheuserswhohavebeenaddedtothecorrespondingpartition.

4. Ifyouclickedatileforapartitionyoucreated,clicktheGroupstabtoviewallofthegroupsthathavebeenaddedtothepartition.Ifyouwanttoviewthemembersofagroup,clickagroupnameinthelist.

3.2.4 Removing a subscription from a partition you created

Youcanremoveasubscriptionfromapartitionyoucreatedif,forexample,younolongerwantuserstojointhatsubscriptionautomaticallythroughauto-provisioningoruserandgroupsynchronization.

Afteryouremoveasubscription,alloftheuserswhopreviouslyjoinedthatsubscriptionthroughauto-provisioningoruserandgroupsynchronizationwillremainonthepartitionandcancontinueusingthecorrespondingappwiththeirexistingcredentials.Ifyounolongerwantthoseuserstoaccesstheapp,youmustremovetheusersfromthesubscriptionatthesubscriptionlevel.Formoreinformation,see“Removingauserfromasubscription”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

Note

YoucannotremovesubscriptionsfromtheNativepartition.

3.2.4.1 To remove a subscription from a partition you created:


2. OntheAuth partitionspage,clickapartitiontileandthenclicktheSubscriptionstab.

3. IntheAssociated subscriptions list,clicktheRemovebutton intherowthatcorrespondstothesubscriptionyouwanttoremove.

4. Whenpromptedtoremovethesubscription,clickYes, continue.

3.2.5 Deleting an authentication scheme from a partition you created

Youcandeletetheauthenticationschemethatyouconfiguredforapartitionyoucreatedifyouwanttoconfigureanewauthenticationschemeforthatpartition.

Note

YoucannotremovetheauthenticationschemefromtheNativepartition.





19

3.2.5.1 To delete an authentication scheme from a partition you created:


2. OntheAuth partitionspage,clickapartitiontileandthenclicktheAuthentication schemetab.

3. ClickDelete scheme.

4. Whenpromptedtodeletetheauthenticationscheme,clickYes, continue.

3.2.6 Deleting a partition you created

Youcandeleteapartitionyoucreatedifitdoesnotcontainsubscriptionsorusers.

Note

YoucannotdeletetheNativepartition.

3.2.6.1 To delete a partition you created:


2. OntheAuth partitionspage,clickapartitiontileandthenclickthePartition detailstab.

3. IntheDetailsarea,clickRemove.

3.2.7 Managing the Native partition

3.2.7.1 Configuring a password policy

UserswhoareinvitedtosubscriptionsmustcreateaccountcredentialsontheOT2platform.Formoreinformation,see Inviting users to subscriptions.TheseusersareautomaticallyaddedtotheNativepartitionwhentheysignintoyourtenant.

InAdminCenter,youcanoptionallyconfigureapasswordpolicytospecifyrulesforcreatingandusingpasswordsontheOT2platform.Forexample,youcanspecifywhetherthepasswordsthatuserscreatemustcontainaminimumnumberofcharactersandsymbols,andyoucanspecifyhowoftenusersarepermittedtochangetheirpasswords.

Bydefault,theNativepartitionusestheglobalpasswordpolicythatisconfiguredinOTDS.YoucanchoosetokeepthedefaultglobalpasswordpolicyoreditthepolicyvaluesinAdminCentertospecifyadifferentsetofrulesforcreatingandusingpasswords.ThepasswordpolicyvaluesyouconfigureinAdminCenteroverridethecorrespondingglobalpasswordpolicyvaluesinOTDS.




20


2. OntheAuth partitionspage,clicktheNativetile,andthenclicktheLogin settings tab.

3. ClickEdit.


•IfyouwanttousetheglobalpasswordpolicythatisconfiguredinOTDS,confirmthattheUse Global Policycheckboxisselected.Bydefault,thischeckboxisselected.

•Ifyouwanttospecifyadifferentsetofpasswordpolicyrules,cleartheUse Global Policycheckboxandconfiguretherulesyouwanttouse.

Eachboxcorrespondstoadifferentrule.Ineachbox,youcantypeanewnumericvalueorusethearrowbuttonstoselectanewvalue.Ifyouwanttodisablearule,specifyavalueof0inthecorrespondingbox.

Formoreinformationabouteachrule,seePassword policy rules.

5. ClickSave.

3.2.7.2 Password policy rules

OntheAuth partitionspage,youcanconfigurethefollowingpasswordpolicyrulesontheLogin settingstab:

Minimum characters Theminimumnumberofcharactersthatusersmustincludeinapassword.

Minimum numeric characters

Theminimumnumberofnumericcharactersthatusersmustincludeinapassword.

Minimum special characters

Theminimumnumberofspecialcharactersthatusersmustincludeinapassword.Examplesofspecialcharactersincludetheexclamationmark(!),atsymbol(@),andhashtag(#).

Minimum uppercase Theminimumnumberofuppercasecharactersthatusersmustincludeinapassword.




21

Minimum lowercase Theminimumnumberoflowercasecharactersthatusersmustincludeinapassword.

Minimum number character changes from previous

Theminimumnumberofcharactersthatmustbedifferentinanewpasswordifusersreusesequentialcharactersfromanoldpasswordinthenewpassword.

Do not allow reuse of last (x) passwords

Thenumberofpasswordsthatmustbeuniquebeforeuserscanreuseanoldpassword.

Maximum continuous characters from username

Themaximumnumberofsequentialcharactersthatuserscanrepeatfromtheirusernamewhencreatingorchangingapassword.

Allow password change after (x) days

Theminimumnumberofdaysthatmusttakeplacebeforeuserscanchangeapassword.

Password expires in (x) days

Thenumberofdaysthatmusttakeplacebeforeapasswordexpiresandmustbechanged.

Attempts before lockout

Themaximumnumberofinvalidpasswordattemptsthatuserscanmakebeforetheyarelockedoutoftheiraccounts.

Lockout duration in minute

Thelengthoftime,inminutes,forwhichusersarelockedoutoftheiraccountsiftheyexceedthemaximumnumberofinvalidpasswordattempts.LockedaccountsareunlockedautomaticallywhentheLockout duration in minutesperiodexpires.

Tip

IfauserneedstoaccessalockedaccountbeforetheLockout duration in minutesperiodexpires,youcanunlocktheaccountmanuallyontheTenant users page.Formoreinformation,seeUnlocking user accounts




22

3.2.7.3 Configuring two-factor authentication

Ifneeded,youcanenabletwo-factorauthenticationontheNativepartitiontoprotectyourtenantfromunauthorizedaccess.

Bydefault,two-factorauthenticationisdisabledanduserswhoareaddedtotheNativepartitionarepromptedtoprovideonlytheirOT2accountcredentialswhentheysignintoyourtenant.

Ifyouenabletwo-factorauthentication,userswhoareaddedtotheNativepartitionarepromptedtoprovideboththeirOT2accountcredentialsandanauthenticationcodewhentheysignintoyourtenantforthefirsttime.Usersmustuseanauthenticatorapp,suchasMicrosoftAuthenticatororGoogleAuthenticator,onamobiledevicetogenerateanauthenticationcodeusingeithertheQRcodeorsecretkeythatappearsontheAdminCentersign-inpage.Usersmustthenenterthegeneratedauthenticationcodeonthesign-inpagetoaccessyourtenant.

Whenyouenabletwo-factorauthentication,youcanspecifywhetherusersmustenteranauthenticationcodeeachtimetheysignintoyourtenantorwhetheruserscanskipthetwo-factorauthenticationprocessiftheyhavealreadyenteredanauthenticationcodeforadevice.


2. OntheAuth partitionspage,clicktheNativetile,andthenclicktheLoginsettingstab.

3. ClickEdit.

4. IntheTwofactorauthsettingsarea,selectEnable 2FAtoenabletwo-factorauthenticationonthepartition.

5. [Optional]CleartheAllow skip of known devicescheckboxifyouwanttohidetheDon’t ask me for a code again when I log in from this devicecheckboxfromtheAdminCentersign-inpagewhentwo-factorauthenticationisenabled.Inthiscase,userswillneedtoenteranauthenticationcodeeachtimetheysignintoyourtenant.

Bydefault,theAllowskipofknowndevicescheckboxisselectedandtheDon’t ask me for a code again when I log in from this devicecheckboxappearsontheAdminCentersign-inpagewhentwo-factorauthenticationisenabled.Inthiscase,userswhoselectDon’t ask me for a code again when I log in from this devicewillnotneedtoenteranauthenticationcodetosigniniftheyhavealreadycompletedthetwo-factorauthenticationprocessonadevice.

6. ClickSave.




23

3.3 Setting up SSO with an identity provider

AdminCentersupportsSAML-basedSSOwithidentityproviderssuchasOktaandAzureActiveDirectory.

IfyouwanttosetupSAML-basedSSOwithAdminCenter,youcandoeitherofthefollowing:

•Setupauto-provisioningwithanidentityproviderthatsupportsSAML.

•SetupuserandgroupsynchronizationbetweenAzureActiveDirectoryandAdminCenter.

3.3.1 Setting up auto-provisioning

Youcansetupauto-provisioningifyouwanttoconfigureSSOwithanidentityproviderthatsupportsSAMLauthentication,forexample,OktaorAzureActiveDirectory.

Afteryousetupauto-provisioning,usersfromtheidentityproviderareautomaticallyaddedtoyourAdminCentertenantandassignedtosubscriptionswhentheysignintotheOT2platformusingtheircredentialsfromtheidentityprovider.

3.3.2 Synchronizing Azure Active Directory users and groups with Admin Center

IfyouareusingAzureActiveDirectory,youcansetupaprocesstosynchronizeuserandgroupinformationautomaticallybetweenAzureActiveDirectoryandyourAdminCentertenant.

Afteryousetupuserandgroupsynchronization,usersandgroupsfromtheidentityproviderareautomaticallyaddedtoapartitiononyourAdminCentertenantduringthesynchronizationprocess.Asaresult,theseusersandgroupsareautomaticallyassignedtoallofthesubscriptionsonthatpartition.

IfyouadduserstoorremoveusersfromtheAzureActiveDirectorysystem,thecorrespondingusersareautomaticallyaddedtoorremovedfromyourAdminCentertenantthenexttimeAzureActiveDirectoryrunsthesynchronizationprocess.

Whenyousetupuserandgroupsynchronization,youmustalsosetupSAMLauthenticationtoenableuserstosignintoAdminCenterusingtheirAzureActiveDirectorycredentials.

Note

Duringthesynchronizationprocess,AzureActiveDirectorycommunicateswithOTDSandAdminCenterovertheSCIMprotocol.




24

3.3.2.1 SSO scenarios

TosetupSSOwithanidentityprovider,youneedtocompletesometasksinyourserverenvironmentandsometasksinAdminCenter.

3.3.2.1.1 Scenario 1: Setting up SAML-based SSO with an Okta system

ThefollowingproceduredescribeshowtosetupSAML-basedSSOwithOktathroughauto-provisioning.

Note

FormoreinformationaboutOkta,seetheOktaHelpCenter.

1. InAdminCenter,dothefollowing:

•IfyourtenanthasanAuthpartitionspage,createanewpartitionwithoutconfiguringanauthenticationschemeforit.Onthatpartition,addsubscriptionsfortheappsyouwanttoallowuserstoaccess.Formoreinformation,seeCreatingandconfiguringapartition.

•CopytheSAML SSO URLandSAML Metadata URLvaluesfromtheAuth partitionsorTenant detailspagetoalocationwhereyoucanaccessthemeasilylater.

IfyourtenanthasanAuth partitionspage,theseURLsappearonthenewpartition’sPartition detailstab.Formoreinformation,seeViewingpartitiondetails.

IfyourtenanthasanAuthentication schemespage,theseURLsappearontheTenant details page.Formoreinformation,seeViewingtenantdetails.

2. InOktaAdminConsole,createanewSSOapplication.Formoreinformation,see“Create your integration”intheOktaDeveloperPlatformhelp.

Whencreatingthenewapplication,youmustdothefollowingontheConfigure SAMLtab:

a. IntheSingle Sign on URLbox,specifytheSAML SSO URLvalueyoucopiedfromAdminCenter.

b.SelecttheUse this for Recipient and Destination URLcheckbox.

c. IntheAudience URI (SP Entity ID)box,specifytheSAML Metadata URLvalueyoucopiedfromAdminCenter.

d.IntheName ID formatlist,selectEmail Address.

e.[Optional]Ontheadvancedsettingspage,settheResponse and Assertion Signature valuestoSignedifyouwantSAMLresponsesandassertionstobesigned.

3. Whenyouarefinishedcreatingtheapplication,clicktheIdentity provider metadatalinktocopytheidentityproviderURL.PastetheURLtoalocationwhereyoucanaccessiteasilylater.


https://support.okta.com/help/s/?language=en_US

https://developer.okta.com/docs/guides/build-sso-integration/saml2/create-your-app /

https://developer.okta.com/docs/guides /



25

4. InAdminCenter,dooneofthefollowing:

a. IfyourtenanthasanAuth partitionspage,gototheAuthentication schemetabthatbelongstothepartitionyoucreatedinstep1,andconfiguretheSAMLauthenticationschemeonthatpartition.Formoreinformation,seeCreating and configuring a partition.

b.IfyourtenanthasanAuthentication schemespage,configuretheSAMLauthenticationschemeonyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.

Whenconfiguringtheauthenticationscheme,youmustdothefollowing:

c.ConfirmthattheAuto Provisioningswitchisturnedon.

d.IntheProvider URLbox,providetheidentifyproviderURLyoucopiedfromtheOktasystem.

UserscanthensignintoAdminCenterusingtheircredentialsfromtheOktasystem.Aftertheysignin,usersareaddedtotheAdminCenterpartitionorsiteautomaticallyandcanaccessthecorrespondingapp.

3.3.2.1.2 Scenario 2: Setting up SAML-based SSO with Azure Active Directory

ThefollowingproceduredescribeshowtosetupSAML-basedSSOwithAzureActiveDirectorythroughauto-provisioning.

Note

FormoreinformationaboutAzureActiveDirectory,seetheAzureActiveDirectorydocumentation.


a. IfyourtenanthasanAuth partitionspage,createanewpartitionwithoutconfiguringanauthenticationschemeforit.Onthatpartition,addsubscriptionsfortheappsyouwanttoallowuserstoaccess.Formoreinformation,seeCreating and configuring a partition.

b.CopytheSAML Login URLandSAML SSO URLvaluesfromAdminCentertoalocationwhereyoucanaccessthemeasilylater.

IfyourtenanthasanAuth partitionspage,thesevaluesappearonthenewpartition’sPartition detailstab.Formoreinformation,seeViewing partition details.

IfyourtenanthasanAuthentication schemespage,thesevaluesappearontheTenant detailspage.Formoreinformation,seeViewing tenant details.

2. SignintoAzureActiveDirectoryanddothefollowingtoaddanon-galleryapplication:

a.ClickEnterprise applications.

b.ClickNew applicationandselectNon-gallery application.

c.SpecifyanamefortheapplicationandclickAdd.


https://docs.microsoft.com/en-us/azure/active-directory /

https://docs.microsoft.com/en-us/azure/active-directory /



26

3. ToconfigureSAMLauthenticationfortheapplication,dothefollowinginAzureActiveDirectory:

a.Clicktheapplicationnameinthelistofenterpriseapplications.

b.ClickSingle Sign-on.

c.OntheSelect a single sign-on methodpage,selectSAML.

d.OntheSet up Single Sign-On with SAMLpage,dothefollowing:

i. IntheBasic SAML Configurationarea,specifythefollowingvalues:

• IntheIdentifier(EntityID)box,specifytheSAMLLoginURLvalueyoucopiedfromAdminCenter.

• IntheReplyURL,Sign-onURL,andLogoutURLboxes,specifytheSAMLSSOURLvalueyoucopiedfromAdminCenter.

ii. IntheUser Attributes & Claimsarea,dothefollowing:

•ChangethedefaultmappingofEmailaddresstouser.userprincipalname.

•Changethedefaultmappingofnametouser.displayname.

•ClickAdd a group claim.IntheGroup Claimsdialogbox,selectAll Groups,andthenclickSave.

iii.FromtheAdditional claimsarea,copyalloftheclaimnameURLsandpastethemtoalocationwhereyoucanaccessthemeasilylater.

iv.IntheSAML Signing Certificatearea,copytheApp federation metadata URLvalueandpasteittoalocationwhereyoucanaccessiteasilylater.

4. InAdminCenter,dooneofthefollowingtoconfigureanauthenticationschemeforyourpartitionorsite:

a. IfyourtenanthasanAuth partitionspage,gototheAuthentication schemetabthatbelongstothepartitionyoucreatedinstep1,andconfiguretheSAMLauthenticationscheme.Formoreinformation,seeCreating and configuring a partition.

b.IfyourtenanthasanAuthentication schemespage,configuretheSAMLauthenticationschemeonyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.

Whenconfiguringtheauthenticationscheme,youmustdothefollowing:

c.ConfirmthattheAuto Provisioningswitchisturnedon.

d.IntheProvider URLbox,providetheApp federation metadata URLvalueyoucopiedfromtheAzureActiveDirectorysystem.

e. IntheCustomize claim configurationarea,configurethefollowingmappings:




27

Admin Center value Azure Active Directory claim value

Mail http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Displayname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Group http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

5. InAzureActiveDirectory,createoneormoreusersandgroups.Formoreinformation,seehttps://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/.

6. Toallowthoseusersandgroupstoaccessanapponthepartitionorsite,doeitherofthefollowing:

a. Sendtheapp’ssubscriptionURLtoeachuserandgroup.Todoso,copythesubscriptionURLfromtheDetailspageinAdminCenterandthenpastetheURLinanemailthatyousendtousers.Formoreinformation,see“Sharing the subscription URL with users”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

UserscanthenclickthesubscriptionURLtoaccesstheapp’ssign-inpageandprovidetheirAzureActiveDirectorycredentialstosignin.

b.Assignanapproletoeachuserorgroupatthesubscriptionlevel.Formoreinformation,see“Assigning app roles to users or groups on the Roles page”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

Userswillthenreceiveanemailinvitationautomatically.UserscanclickthesubscriptionURLinthatemailtoaccesstheapp’ssign-inpageandprovidetheirAzureActiveDirectorycredentialstosignin.

Aftertheysignin,usersareaddedtotheAdminCenterpartitionorsiteautomaticallyandcanaccessthecorrespondingapp.


https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/







28

3.3.2.1.3 Scenario 3: Setting up SCIM synchronization with Azure Active Directory

Note

YoucancompletethisprocedureifyourAdminCentertenanthasanAuth partitionspage.YoucannotcompletethisprocedureifyoutenanthasanAuthentication schemespage.

FormoreinformationaboutAzureActiveDirectory,seetheAzureActiveDirectorydocumentation.


a.Createanewpartitionwithoutconfiguringanauthenticationschemeforit.Onthatpartition,addsubscriptionsfortheappsyouwanttoallowuserstoaccess.Formoreinformation,seeCreating and configuring a partition.

b.Onthenewpartition’sPartition detailstab,copytheSCIM Sync URL, SAML SSO URL,andSAML Login URLvaluestoalocationwhereyoucanaccessthemeasilylater.Formoreinformation,seeViewing partition details.

c.OntheAPI service credentials page,generateclientcredentialsforAzureActiveDirectoryatthetenantlevel.Formoreinformation,seeGenerating client credentials for Azure Active Directory.

2. SignintoAzureActiveDirectoryanddothefollowingtoaddanon-galleryapplication:

a.ClickEnterprise applications.

b.ClickNew applicationandselectNon-gallery application.

c.SpecifyanamefortheapplicationandclickAdd.

3. Clicktheapplicationnameinthelistofenterpriseapplications.

4. ClickProvisioning.

5. OntheProvisioningpage,dothefollowing:

a. IntheAdmin Credentialsarea,intheTenant URLbox,specifytheSCIM Sync URLvalueyoucopiedfromAdminCenter.

b.IntheMappingsarea,clickProvision Azure Active Directory Users.OntheAttribute Mappingpage,changetheSource Attribute valueofthemailattributetouserPrincipalName.

c. IntheSettings area,settheProvisioning StatusvaluetoOn.FormoreinformationabouttheProvisioningpage,see“Managing user account provisioning for enterprise apps in the Azure portal”intheAzureActiveDirectorydocumentation.

6. ToconfigureSAMLauthenticationfortheapplication,dothefollowing:

a.ClickSingle Sign-on.

b.OntheSelect a single sign-on methodpage,selectSAML.


https://docs.microsoft.com/en-us/azure/active-directory






29

c.OntheSet up Single Sign-On with SAMLpage,dothefollowing:

i. IntheBasic SAML Configurationarea,specifythefollowingvalues:

• IntheIdentifier (Entity ID)box,specifytheSAML Login URLvalueyoucopiedfromAdminCenter.

• IntheReply URL, Sign-on URL,andLogout URLboxes,specifytheSAML SSO URLvalueyoucopiedfromAdminCenter.

ii. IntheUser Attributes & Claimsarea,dothefollowing:

•ChangethedefaultmappingofEmailaddresstouser.userprincipalname.

•Changethedefaultmappingofnametouser.displayname.

•ClickAdd a group claim.IntheGroup Claimsdialogbox,selectAll Groups,andthenclickSave.

iii.IntheSAML Signing Certificatearea,copytheApp federation metadata URLvalueandpasteittoalocationwhereyoucanaccessiteasilylater.

7. InAdminCenter,configuretheSCIM and SAMLauthenticationschemeonyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.

IntheProvider URLbox,providetheApp federation metadata URL valueyoucopiedfromtheAzureActiveDirectorysystem.

8. InAzureActiveDirectory,createalloftheusersandgroupsyouwanttosynchronize.Formoreinformation,seehttps://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/.

AfterAzureActiveDirectoryrunsthesynchronizationprocessforthefirsttime,usersandgroupsautomaticallyappearontheUsersandGroupstabsonthepartitionyoucreatedinAdminCenter.

9. Toallowusersandgroupstoaccessanapponthepartitionorsite,doeitherofthefollowingafterthesynchronizationprocesstakesplace:

a. Sendtheapp’ssubscriptionURLtoeachAzureActiveDirectoryuserandgroup.Todoso,copythesubscriptionURLfromtheDetailspageinAdminCenterandthenpastetheURLinanemailthatyousendtousers.Formoreinformation,see“Sharing the subscription URL with users”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

UserscanthenclickthesubscriptionURLtoaccesstheapp’ssign-inpageandprovidetheirAzureActiveDirectorycredentialstosignin.

b.AssignanapproletoeachAzureActiveDirectoryuserorgroupatthesubscriptionlevel.Formoreinformation,see“Assigning app roles to users or groups on the Roles page”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

Userswillthenreceiveanemailinvitationautomatically.UserscanclickthesubscriptionURLinthatemailtoaccesstheapp’ssign-inpageandprovidetheirAzureActiveDirectorycredentialstosignin.










30

3.4 Setting up the Tunnel Agent

TheTunnelAgentisanon-premisescomponentthatenablesOT2appstocommunicatesecurelywithon-premisesrepositoriesandapplicationsbehindafirewall.

IfyouconfiguredtheHybridauthenticationschemeonatenantorpartitionandyoursystemadministratorhaschosentoinstallandconfiguretheTunnelAgentinyouron-premisesenvironment,youmustcompletethefollowingtasks:

1. TurnontheSecure tunnelswitchfortheHybridauthenticationscheme.Formoreinformation,seeConfiguring an authentication scheme for your tenantorCreating and configuring a partition.

2. GenerateclientcredentialsfortheTunnelAgent.Formoreinformation,seeGenerating client credentials.

3. TurnontheSecure tunnel switchwhenyouconfigurerepositoryconnections.Formoreinformation,seeConfiguring connection settings.

FormoreinformationabouttheTunnelAgent,seetheOpenText OT2 Tunnel Agent Configuration GuideonOpenTextMySupport.

3.5 Generating client credentials

ClientcredentialsenableclientstorequestOAuthaccesstokenstoaccessresources.

WhensettingupyourAdminCentertenant,youmustgenerateclientcredentialsinthefollowingscenarios:

If the apps on your tenant require the Tunnel Agent.

Inthisscenario,youmustgenerateclientcredentialsinAdminCenterandprovidethemtoyoursystemadministrator.YoursystemadministratorcanthenusetheclientcredentialsyouprovidetoconfiguretheTunnelAgentinyourorganization’sserverenvironment.AftertheTunnelAgentisconfigured,theclientcredentialsenabletheTunnelAgenttorequestOAuthaccesstokenstocommunicatewithAdminCenter.

FormoreinformationabouttheTunnelAgent,seeSetting up the Tunnel Agent.

If you want to synchronize users and groups between Azure Active Directory and your Admin Center tenant automatically.

Inthisscenario,ifyouconfiguredAzureActiveDirectorytosynchronizeusersandgroupsautomatically,theclientcredentialsthatyougenerateinAdminCenterenableAzureActiveDirectorytorequestOAuthaccesstokenstocommunicatewithOTDSandAdminCenterusingtheSCIMprotocol.

Formoreinformation,seeSynchronizing Azure Active Directory users and groups with Admin Center.





31

Tip

FormoreinformationabouttheOAuthframework,seehttps://oauth.net/.

3.5.1 Generating client credentials for the Tunnel Agent

Note

YoucanalsogenerateclientcredentialsfortheTunnelAgentatthesubscriptionlevelif,forexample,youwanteachapptousedifferentclientcredentials.Formoreinformation,see“Generating client credentials for the Tunnel Agent”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

1. Atthetenantlevel,clickAPI service credentialsonthenavigationmenu.

2. OntheAPI service credentialspage,clicktheAddbutton ,andselectCreate API key.

3. IntheDescriptionbox,typeadescriptionforthecredentials.

4. IntheAccess token lifetime (seconds)box,specifythelengthoftime,inseconds,thattheOAuthaccesstokenwillbevalidforafteritisgenerated.Thedefaultvalueis900seconds.

5. IntheRefresh token lifetimebox,specifythelengthoftime,inseconds,thattheOAuthrefreshtokenwillbevalidforafteritisgenerated.Thedefaultvalueis28800seconds.

6. ClickCreatetogeneratetheclientcredentials.

7. ClickCopytocopytheclientIDandclientsecretvaluestoyourclipboard.Pastethesevaluestoalocationwhereyoucanaccessthemeasilylater.

8. ClickOk, I understandtoclosethedialogbox.

Note

YoumustprovidetheclientIDandclientsecretvaluesyougeneratedtoyoursystemadministrator.

3.5.2 Generating client credentials for Azure Active Directory

Note

Beforecompletingthisprocedure,youmustcreateapartitioninAdminCenter.Formoreinformation,seeScenario 3: Setting up SCIM synchronization with Azure Active Directory.


2. OntheAPI service credentials page,clicktheAddbutton ,andselectCreate SCIM Oauth Key.


https://oauth.net/





32

3. IntheClient IDbox,specifytheclientIDvalueoftheOAuthclient.ThisvaluemusttaketheformAZURE_SCIM_directory_ID,wheredirectory_IDisthedirectoryIDvaluefromAzureActiveDirectory.

Tip

ThedirectoryIDvalueislocatedonthePropertiespageinAzureActiveDirectory.

Formoreinformation,see“Quickstart: Set up a tenant”intheAzureActiveDirectorydocumentation.

4. IntheAccess token lifetime (seconds)box,specifythelengthoftime,inseconds,thattheOAuthaccesstokenwillbevalidforafteritisgenerated.Thedefaultvalueis900seconds.

5. IntheRefresh token lifetimebox,specifythelengthoftime,inseconds,thattheOAuthrefreshtokenwillbevalidforafteritisgenerated.Thedefaultvalueis28800seconds.

6. InthePartitionlist,selectthepartitionyoucreatedtosynchronizeAzureActiveDirectoryusersandgroups.

7. ClickCreatetogeneratetheclientcredentials.


3.5.3 Changing the expiry periods or partition for access tokens

Aftergeneratingclientcredentials,youcanoptionallyincreaseordecreasetheexpiryperiodsfortheOAuthaccesstokensthatareusedtocommunicatewithAdminCenter.

IfyougeneratedclientcredentialsforAzureActiveDirectory,youcanalsoassignthegeneratedclientcredentialstoadifferentAdminCenterpartitionif,forexample,youwanttosynchronizeAzureActiveDirectoryuserandgroupinformationwithanewpartition.


2. ClicktheMore optionsbutton intherowthatcorrespondstothecredentialsforwhichyouwanttochangetheaccesstokenexpiryperiodsorpartitionandselectEdit.

3. IntheAccess token lifetime (seconds)andRefresh token lifetime (seconds)boxes,specifynewexpiryperiodsfortheOAuthaccessandrefreshtokensasneeded.Youcantypenewnumericvaluesorusethearrowbuttonstoselectnewvalues.

4. Inthe Partitionslist,selectanewpartitionfortheclientcredentialsasneeded.

5. ClickUpdate.


https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant



33

3.5.4 Regenerating a client secret value

Ifyouneedtochangetheclientsecretvalueyouareusingforsecurityreasons,youcangenerateanewclientsecretvalueforanexistingclientID.Afteryouregenerateaclientsecretvalue,thenewclientsecretvalueisassociatedwiththeexistingclientIDandtheoldclientsecretvalueisdisabled.


2. ClicktheMore optionsbutton intherowthatcorrespondstothecredentialsforwhichyouwanttoregeneratetheclientsecretvalueandselectRegenerate.

3. TheRegenerate credentials dialogboxdisplaysthedescription,clientID,andaccesstokenexpiryperiodsforthenewclientsecretvalueyouwillgenerate.Thesevaluesareread-only.

4. ClickRegeneratetogenerateanewclientsecretvalue.

5. IfyouneedtoprovidethenewclientsecretvaluetoyoursystemadministratortoconfiguretheTunnelAgent,clickCopytocopytheclientsecretvalueyougeneratedtoyourclipboardandpastethisvaluetoalocationwhereyoucanaccessiteasilylater.


4 Configuring connection settingsIfyouneedtoconnectappstoon-premisesrepositories,suchasContentServerandDocumentumServer,youmustconfigurerepositoryconnectionsonyourtenant.Youmustconfigureaconnectionforeachrepositorytowhichyouwanttoconnectapps.

OntheConnectionspage,youcanconfigureconnectionsettingsforDocumentumServerrepositoriesontheD2connectionstab.Youcanconfigureconnectionsettingsforallothertypesofrepositories,suchasContentServerandSalesforce,ontheGeneral connectionstab.

AfteryouconfigureD2connectionsatthetenantlevel,subscriptionadministratorscanselectthoseconnectionsforappsatthesubscriptionlevel.Formoreinformation,see“Connecting an app to one or more repositories”inOpenTextOT2AdminCenter-SubscriptionAdministratorHelp.






34

4.1 Configuring repository connection settings

4.1.1 To configure connection settings for a repository other than Documentum:

1. Atthetenantlevel,clickConnectionsonthenavigationmenu.

2. ClicktheGeneral connectionstab.

3. ClicktheAdd button .

4. IntheConnection namebox,typeanamefortheconnection.

5. [Optional]IntheDescriptionbox,typeadescriptionfortheconnection.

6. IftheTunnelAgentisconfiguredinyouron-premisesenvironment,turnontheUse secure tunnelswitch.Formoreinformation,seeSetting up the Tunnel Agent.

7. IntheConnection typelist,selectaconnectiontype.

8. Specifyparametervaluesfortheconnectiontypeyouselected.Formoreinformationaboutthevaluesyoucanspecify,seethedocumentationforyourapponOpenTextMySupportorcontactyoursystemadministrator.

9. ClickTest connectiontotesttheconnection.

10. ClickSave.

4.1.2 To configure connection settings for a Documentum repository:

1. Atthetenantlevel,clickConnectionsonthenavigationmenu.

2. ClicktheD2 connectionstab.

3. ClicktheAdd button .

4. IntheConnection namebox,typeanamefortheconnection.

5. IntheDescriptionbox,typeadescriptionfortheconnection.

6. IntheConnection URLbox,typetheURLfortheDocumentumServersystemyouwanttoconnecttooneormoreapps.

7. IftheTunnelAgentisconfiguredinyouron-premisesenvironment,turnontheSecure tunnelswitch.Formoreinformation,seeSetting up the Tunnel Agent.

8. ClickTest connectiontotesttheconnection.

9. ClickSave.





35

5 Managing your tenantAtthetenantlevel,youcanconfigureemailnotificationsettingsandothersettingsthatapplytoallofthesubscriptionsonyourtenantbydefault.Youcanalsoviewtenantandsubscriptioninformation.

5.1 Managing subscriptions

TheSubscriptionspagelistsalloftheappsubscriptionsthatyouarepermittedtomanageonyourtenant.Youcanusethispagetoviewinformationabouteachsubscription,forexample,thesubscriptionURLandnumberofdaysleftinthesubscription.

5.1.1 To open the Subscriptions page:

Atthetenantlevel,clickSubscriptionsonthenavigationmenu.

Tip

Ifyouwanttomanageasubscription,clickasubscriptioninthelist.Formoreinformationaboutmanagingsubscriptions,seeOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

5.2 Customizing Admin Center emails

Youcancustomizetheimage,replyemailaddress,andsendernamedisplayedinallemailsthatAdminCentersendsforallsubscriptionsonyourtenant,forexample,emailsyousendtoinviteuserstosubscribetoappsandinviteuserstobecometenantandsubscriptionadministrators.

5.2.1 Customizing the image displayed in emails

Beforecustomizingtheimage,youmustsavethe.png,.gif,or.svgimagefileyouwanttouseinapubliclocation,forexample,asharedfolderonanon-premisesserver.






36

5.2.1.1 To customize the image displayed in emails:

1. Atthetenantlevel,clickEmail notificationsandthenclickLogoonthenavigationmenu.

2. Inthetextbox,typethefullyqualifiedURLoftheimagefileyouwanttouse,forexample,https://server.domain.com/PublicFolder/logo.png.TheURLmuststartwithhttps.

3. ClickAPPLY.

4. ClickSave.

5.2.2 Customizing the reply address and sender name in emails

5.2.2.1 To customize the reply address and sender name in emails:

1. Atthetenantlevel,clickEmail notificationsandthenclickSenderonthenavigationmenu.

2. IntheSender box,typethereplyemailaddressyouwanttouse.

3. IntheDisplay Namebox,typethesendernameyouwanttouse.

4. ClickSave.

5.3 Viewing tenant details

YoucanusetheTenant details pagetoviewinformationaboutyourtenant.

IfyourtenanthasanAuth partitionspage,thefollowinginformationappearsontheTenant detailspage:

•Partitions: Thepartitionsonyourtenant.

•Tenant name: ThetenantnamespecifiedbyyourOpenTextAccountExecutive.

•Tenant ID: TheuniqueIDofyourtenant.AdminCenterautomaticallyassignsauniqueIDtoeachtenant.Ifyouaremanagingappsonmultipletenants,youcanclickthe specify a different tenantlinkontheAdminCentersign-inpageandprovideatenantIDtoswitchtothattenant.

•Company description:ThecompanydescriptionspecifiedbyyourOpenTextAccountExecutive.

•External ID:TheexternalIDofyourtenantspecifiedbyyourOpenTextAccount Executive.

•Registered since: ThedateonwhichthetenantwascreatedinAdminCenter.

•Language: Thedefaultlanguagethatisselectedforyourtenant.




37

Ifyourtenanthasan Auth partitions page,thefollowinginformationappearsontheTenant detailspage:

•Tenant name: ThetenantnamespecifiedbyyourOpenTextAccountExecutive.

•Tenant email domains:Thedomainordomainsinwhichthetenantislocated.

•Registered since: ThedateonwhichthetenantwascreatedinAdminCenter.

•Tenant users: Thetotalnumberofuserswhoareassignedtosubscriptionsonthe tenant.

•Subscriptions: Thesubscriptionsthatareavailableonthetenant.Eachicon representsadifferentsubscription.

•SAML metadata URL: AURLthatspecifiesthelocationoftheSAMLmetadatafile.

•SAML SSO URL: AURLthatspecifiestheSSOsign-inpageofyourSAMLidentity provider.

•SAML login URL: AURLthatspecifiesthesign-inpageofyourSAMLidentityprovider.

•SCIM Sync URL: AURLthatspecifiesthebaseSCIMendpointforOTDS.

Tip

YoucanusetheURLvaluestoconfigureauto-provisioningonyouridentityprovider.Formoreinformation,seeSSO scenarios.

6 Managing users and groupsAtthetenantlevel,youcanaddandremovetenantadministrators,monitorusersubscriptions,andcreateandmanagetenantgroups.

6.1 Adding and removing tenant administrators

Youcanaddtenantadministratorsifyouwanttoallowotheruserstoconfiguretenantsettingsandmanageallofthesubscriptionsonyourtenant.

Whenyouaddatenantadministratortoyourtenant,AdminCentersendsanemailinvitationtothatuserattheemailaddressyouspecify.Theuser’sstatusisalsosetto Invitation PendingontheTenant adminspage.TheusermustclickthelinkinthatemailtoregisteranaccountontheOT2platformandsignintoAdminCenter.Aftertheusersignsin,theuser’sstatuschangestoActiveontheTenant adminspage.TheusermustusethatemaillinkandtheregisteredOT2credentialstosigninasatenantadministratorinthefuture.




38

Tip

IfyourtenanthasanAuthentication schemespage,aTenantcolumnappearsontheTenant adminsandTenant userspages.Thiscolumnindicateswhethereachuserisinternalorexternalonthecurrenttenant.Formoreinformation,see Understanding the Tenant column on the Tenant admins and Tenant users pages.

6.1.1 Adding a tenant administrator

1. Atthetenantlevel,clickTenant adminsonthenavigationmenu.

2. ClicktheAddbutton .

3. Inthetextbox,typeanemailaddressorsearchforandselecttheemailaddressthatbelongstotheuseryouwanttoaddasatenantadministrator.

4. ClickInvite.

6.1.2 Resending email invitations

Ifneeded,youcanresendemailinvitationstouserswhohaveanInvitation PendingstatusontheTenant adminspage.FormoreinformationabouttheInvitation Pendingstatus,seeAdding and removing tenant administrators.


2. ClicktheMore optionsbutton intherowthatcorrespondstotheuserwhoyouwanttoresendtheinvitationto.

3. SelectResend invite.

4. [Optional]Inthetextbox,typeanewemailaddresstowhichtosendtheinvitation.

5. ClickResend.

6.1.3 Removing a tenant administrator


2. ClicktheMore optionsbutton intherowthatcorrespondstothetenantadministratoryouwanttoremove.

3. SelectRemove from role.

4. Whenpromptedtoremovetheuserfromthetenantadministratorrole,clickRemove from role.




39

6.2 Managing tenant users

TheTenant userspagelistsallofthetenantadministratorsonyourtenant,alloftheuserswhohavebeeninvitedtosubscribetoappsonyourtenant,andalloftheuserswhoarecurrentlysubscribedtoappsonyourtenant.

Youcanusethispagetomonitoruseractivitiesonyourtenant,forexample,thestatusofeachuser’ssubscriptionandthedateandtimeeachuserlastsignedintoAdminCenter.Youcanalsoviewdetailedinformationabouteachuser,forexample,thesubscriptionsandapprolesassignedtoeachuser.

IfyourtenanthasanAuth partitionspage,youcanalsodothefollowingtomanageuseraccounts:

•Disableuseraccountstopreventusersfromsigningintoyourtenantandallofthe appsonyourtenant.Formoreinformation,seeDisabling and enabling user accounts.

•Unlockuseraccountsifusersarelockedoutoftheiraccountsaftermultipleinvalid passwordattempts.Formoreinformation,seeUnlocking user accounts.

•Resettwo-factorauthenticationsettingsforusers.Formoreinformation,see Resetting user two-factor authentication settings.

•Moveuserstoadifferentpartition.Formoreinformation,seeMoving users to a different partition.

Tip

IfyourtenanthasanAuthentication schemespage,aTenantcolumnappearsontheTenant adminsandTenant userspages.Thiscolumnindicateswhethereachuserisinternalorexternalonthecurrenttenant.Formoreinformation,see Understanding the Tenant column on the Tenant admins and Tenant users pages.

Formoreinformationaboutapproles,see“Assigning app roles to user and groups”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

6.2.1 Viewing user information

1. Atthetenantlevel,clickTenant usersonthenavigationmenu.

2. Toviewinformationaboutauser,clicktheMore optionsbuttonintherowthatcorrespondstotheuseryouwanttoviewinformationfor,andselectDetails.





40

6.2.2 Disabling and enabling user accounts

Youcandisableuseraccountsifyouneedtopreventusersfromsigningintoyourtenantandalloftheappsonyourtenantforsecurityreasons.YoucandisableanyuseraccountthatissettoActiveontheTenant userspage.

Whenauseraccountisdisabled,adisable icon appearsbesidetheaccountnameontheTenant userspage.Iftheuserassociatedwiththataccountattemptstosignintothetenantoranapponthattenant,anerrormessageappearsonthesign-inpage.

Ifyouwanttoallowuserstosignintothetenantandappsagain,youcanenableuseraccountsyoupreviouslydisabled.Youcanalsoenableuseraccountsthatothertenantadministratorshavedisabled.

Note

ThisfunctionalityisavailableifyourtenanthasanAuth partitionspage.


2. ClicktheMore optionsbuttonintherowthatcorrespondstotheuseraccountyouwanttodisableorenable,andselectDisableorEnable.

3. Whenpromptedtodisableorenabletheuseraccount,clickYes, continue.

6.2.3 Unlocking user accounts

DependingonhowyouconfiguredthepasswordpolicyrulesontheNativepartition,userscanbelockedoutoftheiraccountsaftermakingmultipleinvalidpasswordattempts.

TheAttempts before lockoutrulespecifieshowmanyinvalidpasswordattemptscantakeplacebeforeanaccountislockedandtheLockout duration in minutesrulespecifiesthelengthoftimethatmustelapsebeforealockedaccountisunlockedautomatically.Formoreinformation,seeConfiguring a password policy.

Whenanaccountislocked,alockicon appearsbesidetheaccountnameontheTenantusers page and the account cannot be used until you unlock it manually on the Tenant userspageoritsLockout duration in minutesperiodexpires.

Youcanunlockauseraccountmanuallyif,forexample,auserneedstoaccesshisorheraccountbeforetheLockout duration in minutesperiodexpires.

Note

ThisfunctionalityisavailableifyourtenanthasanAuth partitionspage.

Thisfunctionalityappliesonlytoaccountsonthe Nativepartition.


2. ClicktheMore optionsbutton intherowthatcorrespondstotheuseraccountyouwanttounlock,andselectUnlock.

3. Whenpromptedtounlocktheuseraccount,clickYes, continue.




41

6.2.4 Resetting user two-factor authentication settings

Ifyouenabledtwo-factorauthenticationontheNativepartition,youcanresettwo-factorauthenticationsettingsforusersiftheyneedtogeneratenewauthenticationcodestosignintoyourtenant.

Forexample,ifauserlosesanauthenticationcodethatheorshepreviouslygenerated,youcanresetthatuser’stwo-factorauthenticationsettings.Theusercanthengenerateanewauthenticationcodethenexttimeheorshesignsintoyourtenant.

Note

ThisfunctionalityisavailableifyourtenanthasanAuthpartitionspage.

Formoreinformationaboutenablingtwo-factorauthenticationontheNativepartition,seeConfiguring two-factor authentication.


2. ClicktheMore optionsbuttonintherowthatcorrespondstotheuserforwhomyouwanttoresettwo-factorauthenticationsettings,andselectReset two factor auth settings.

3. Whenpromptedtounlocktheuseraccount,clickYes, continue.

6.2.5 Moving users to a different partition

IfyourtenanthasanAuth partitionspage,usersareautomaticallyaddedtopartitionswhentheyjoinsubscriptions.Tosignintoyourtenant,eachusermustusetheauthenticationschemeassociatedwiththepartitionthatheorshehasbeenaddedto.Formoreinformation,seeCreating and managing partitions.

Youcanmoveuserstoadifferentpartitionif,forexample,youwantthemtouseadifferentauthenticationschemetosignintoyourtenant.

Example 5.1: Moving users to a different partition

AlloftheusersonyourtenantpreviouslyjoinedsubscriptionsthroughemailinvitationsandhavebeenaddedtotheNativepartition.However,youwanttheseuserstousetheSAMLauthenticationschemetosignintoyourtenant.

Inthisscenario,youcancreateanewpartitionfortheSAMLauthenticationschemeandthenmoveeachusertothenewpartitionontheTenant userspage.TheuserscanthenuseSAMLcredentialstosignintoyourtenant.




42

Youcanmoveuserstoanytypeofpartition,regardlessofthetypeofpartitiontheycurrentlybelongto.Forexample,youcanmoveusersasfollows:

•FromtheNativepartitiontoaSAML, Hybrid,orSCIM and SAMLpartition.

•FromaSAML, Hybrid, orSCIM and SAMLpartitiontotheNativepartition.

•FromoneSAML, Hybrid,orSCIM and SAMLpartitiontoanother.

IfyoumoveuserstoanewSAML, Hybrid,orSCIM and SAMLpartition,theusersmustusecredentialsfromtheidentityproviderthatisconnectedtothenewpartitiontosignintoyourtenant.Beforemovinguserstothenewpartition,confirmthatanaccounthasbeencreatedforeachuseronthenewidentityprovider.

IfyoumoveusersfromaSAML, Hybrid,orSCIM and SAMLpartitiontotheNative partition,eachuserwillautomaticallyreceiveanemailtocreateanewpasswordontheOT2platform.Userscanthenusetheirexistingemailaddressandnewlycreatedpasswordtosignintothetenant.

Note

IfyoumoveuserstoanewSAML, Hybrid, orSCIM and SAMLpartition,AdminCenterautomaticallyremovestheusersfromallofthetenantandsubscriptiongroupsthattheybelongtoandaddsthemtothenewpartition’sAllUsers_partition_nametenantgroup.

Formoreinformationabouttenantandsubscriptiongroups,seeUnderstanding tenant groupsand“Creating and managing subscription groups”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

Tip

ThePartitioncolumnontheTenant userspageindicateswhichpartitionseachuserbelongsto.

6.2.5.1 To move a user to a different partition:


2. ClicktheMore optionsbutton intherowthatcorrespondstotheuseryouwanttomove,andselectChange partition.

3. IntheChange Partitiondialogbox,selectthenameofthepartitionyouwanttomovetheuserto,andclickContinue.






43

6.3 Understanding the Tenant column on the Tenant admins and Tenant users pages

IfyourtenanthasanAuthentication schemespage,aTenantcolumnappearsonboththeTenant adminsandTenant userspages.Thiscolumnindicateswhichusersareinternalorexternalonthetenantthatiscurrentlyopen.

Auserisinternalifthedomainofhisorheremailaddressmatchesthedomainofthecurrenttenantandifheorsheisregisteredonlyonthecurrenttenant,thatis,theuserhasacceptedaninvitationtobecomeatenantadministratororsubscribetoanapponthecurrenttenantonlyandhasneveracceptedinvitationsassociatedwithothertenants.

Auserisexternalinthefollowingscenarios:

•Ifthedomainofthatuser’semailaddressdoesnotmatchthedomainofthecurrenttenant.

•Ifthatuserisregisteredontenantsotherthanthecurrenttenant,thatis,theuserhaspreviouslyacceptedaninvitationtobecomeatenantadministratororsubscribetoanappononeormoreothertenants.

•Ifthatuser’sstatusissettoInvitation Pending,thatis,theuserhasnotyetacceptedaninvitationtobecomeatenantadministratororsubscribetoanapponthecurrenttenant.

6.4 Understanding tenant groups

Tenantgroupsenableyoutoassignsubscriptionsandpermissionstogroupsofusers.

Atthetenantlevel,youcancreateanynumberoftenantgroupsmanuallyontheTenant groupspage.Youcanaddthefollowingtypesofusersandgroupstomanuallycreatedtenantgroups:

•Userswhoarecurrentlysubscribedorhavebeeninvitedtosubscribetoappsonyourtenant.

•Anyexistingtenantgroups.

IfyourtenanthasanAuth partitionspage,AdminCenteralsoautomaticallycreatesatenantgroupforeachpartitionyoucreate.OntheTenant groupspage,thenameofeachautomaticallycreatedgrouphastheformAllUsers_partition_name.Alluserswhoareaddedtoapartitionthroughauto-provisioningoruserandgroupsynchronizationareautomaticallyaddedtothepartition’stenantgroup.YoucannoteditautomaticallycreatedtenantgroupsoraddnewuserstothemontheTenant groupspage.

Afteroneormoretenantgroupsarecreatedeithermanuallyorautomaticallyatthetenantlevel,thetenantgroupsareavailabletobeusedatthesubscriptionlevel.Subscriptionadministratorscandooneorbothofthefollowing:




•Addthetenantgroupstosubscriptiongroupstoassignsubscriptionstogroups ofusers.Formoreinformation,see“Creating and managing subscription groups”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

•Assignthetenantgroupstooneormoreapproles.Tenantgroupmemberswillthen inheritthepermissionsassociatedwiththeirassignedapproles.Formoreinformation,seeOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

Tip

Formoreinformationaboutapproles,see“Assigning app roles to user and groups”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

6.4.1 Creating a tenant group manually

6.4.1.1 To create a tenant group manually:

1. Atthetenantlevel,clickTenant groupsonthenavigationmenu.

2. ClickCreate group.

3. IntheGroup namebox,typeanameforthetenantgroup.

4. [Optional]Inthe Descriptionbox,typeadescriptionforthetenantgroup.

5. ClickCreate.

6.4.1.2 To add a user or existing tenant group to one or more tenant groups:


2. Inthetextbox,dooneofthefollowing:

•Typethefirstfewlettersofanemailaddressthatbelongstoauserwhoiscurrentlysubscribedorhasbeeninvitedtosubscribetooneormoreappsonyourtenant.

•Typethefirstfewlettersofanamethatbelongstoanexistingtenantgroup.

3. Selecttheemailaddressornamethatbelongstotheuserortenantgroupyouwanttoadd.

4. IntheSelect grouplist,selectoneormoretenantgroupstowhichyouwanttoaddtheuserorexistingtenantgroupyouselectedinthepreviousstep.

5. ClickAdd to groups.







45

6.4.1.3 To view the users and tenant groups in each tenant group:

1. Atthetenantlevel,clickTenantgroupsonthenavigationmenu.

2. IntheTenantGroupslist,clickthenameofthetenantgroupyouwanttoview.Thetenantgroup’spagelistsalloftheusersandtenantgroupsthatbelongtothetenantgroupyouselected.

Tip

Formoreinformationaboutapproles,see“Assigning app roles to user and groups” inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

6.4.2 Editing the name and description of a manually created tenant group

Note

Youcannoteditautomaticallycreatedtenantgroups.

6.4.2.1 To edit the name and description of a manually created tenant group:


2. IntheTenant groupslist,clickthenameofthetenantgroupyouwanttoedit.

3. Onthetenantgroup’spage,clicktheEditbutton .

4. Editthenameanddescriptionofthetenantgroupasneeded.

5. Click Update.

6.4.3 Deleting a manually created tenant group

Note

Beforedeletingatenantgroup,confirmthatnoapprolesareassignedtothatgroup.Ifapprolesareassigned,OpenTextrecommendsthatyouremovetheapprolesfromthegroupfirst.Formoreinformation,see“Assigning app roles to users or groups on the Roles page”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.

Youcannotdeleteautomaticallycreatedtenantgroups.

6.4.3.1 To delete a manually created tenant group:


2. IntheTenant groupslist,placeyourpointeronthenameofthetenantgroupyouwanttodelete,andclicktheDeletebuttoninthecorrespondingrow.

3. Whenpromptedtodeletethegroup,click Delete.






About OpenTextOpenTextenablesthedigitalworld,creatingabetterwayfororganizationstoworkwithinformation,on-premisesorinthecloud.FormoreinformationaboutOpenText(NASDAQ/TSX:OTEX),visitopentext.com.

Connect with usOpenTextCEOMarkBarrenechea’sblog|Twitter|LinkedIn


https://www.opentext.com/

https://blogs.opentext.com/category/ceo-blog/

https://twitter.com/OpenText

https://www.linkedin.com/company/opentext/


OT2 Admin Center · 2021. 6. 23. · If you are using Azure Active Directory, you can synchronize...

Documents

Transcript of OT2 Admin Center · 2021. 6. 23. · If you are using Azure Active Directory, you can synchronize...