Global IDP

The Rafay platform traditionally supports Identity Provider (IDP) configurations at the customer organization level, requiring each customer org to configure its own IDP settings.

This feature applies for scenarios where a Cloud Provider (aka partner) wishes to deploy and operate an IdP where they manage user identifies for their customers. There is a need for a shared IDP configuration across all orgs under the cloud provider.

When the Global IDP feature is enabled for a partner, a single IDP configured in the partner’s default org can be used to authenticate users across all orgs under the partner. This simplifies user authentication and IDP management in multi-tenant environments.

---

Enabling Global IDP

Rafay enables the Global IDP feature for a partner based on requirements. Once enabled, the following setting will be visible in the partner configuration:

"settings": {
  "idp_setting": {
    "common_idp_for_all_orgs": true
  }
}

---

Global IDP Workflow

• A single IDP is configured in the default organization of the partner
• Users access the partner’s Rafay Console portal
• The login behavior depends on whether the user exists in the local Rafay user database

Case 1: User Exists in Local Rafay User Database

If the entered email address matches a local user record:

• The user is shown two options:
  • Login With SSO
  • Login With Password

This provides flexibility to authenticate through either method.

---

Case 2: User Does Not Exist in Local Rafay User Database

If the user is not found in the local database: - Only the Login With SSO option is shown - The user is redirected to the IDP configured in the partner’s default organization

IDP Authentication and organization Mapping

• After clicking Login With SSO, the user is redirected to the IDP provider configured in the default organization
• The IDP must include the organization identifier in the SAML response
• Rafay uses this attribute to route the user to the appropriate organization after authentication

Support for Mixed Mode

If a subset of organizations require a custom IDP and others should use the Global IDP: - Create individual IDPs in those specific organizations using their domain name(s) - Create the Global IDP in the default organization

---

Login Flow

• If a user's domain matches a configured organization-level IDP, they are authenticated using that IDP
• Otherwise, the user is authenticated using the Global IDP
• If the user also exists in the local database, both login options (SSO and password) are shown

Note: For Global IDP integration, customers using Keycloak must use version 26.2.x or later.

---