Managing identity providers

Besides creating local users manually, you can add users from external identity providers and automatically map them to local domain groups. User authentication can be based either on the Implicit Flow or Authorization Code Flow of the OpenID Connect (OIDC) protocol.

Adding an external identity provider allows you to use multi-factor authentication (MFA) for the admin and self-service panels. You can use any identity provider supporting OpenID, such as Microsoft ADFS, Keycloak, Okta, Auth0, and other.

Users imported from identity providers are called Federated, that is, shared between different identity management systems. Unlike local users, federated users do not have credentials set in Virtuozzo Hybrid Infrastructure. They log in to the admin or self-service panels by using their respective credentials from the primary identity management system. The set of actions available to federated users is defined by the roles you assign to their local domain groups.

Limitations

  • When federated users are removed by their identity provider, they are not automatically deleted from the infrastructure.