OT2 Admin Center Tenant Administrator Guide
Contents
1 OpenText™ OT2 Tenant Admin..........................................................................4
2 Getting started..............................................................................................................4
2.1 Managing your tenants and subscriptions..........................................................42.2 Understanding the tenant and subscription administrator roles.................42.3 Assigning users to subscriptions...........................................................................5
2.3.1 Assigningsubscriptionsthroughauto-provisioning..................................52.3.2 Assigningsubscriptionsthroughuserandgroupsynchronization........52.3.3 Invitinguserstosubscriptions........................................................................6
2.4 Browsing to the tenant and subscription levels.................................................62.5 Preparing to set up your tenant and manage subscriptions..........................6
2.5.1 Understandingauthenticationschemes......................................................72.5.2 Preparingtoconnectappstoon-premisesapplications
andservices.......................................................................................................92.5.3 Choosingatenantandsubscriptionadministratorsfor
yourtenant.......................................................................................................... 102.6 Sample workflow: setting up your tenant and managing subscriptions.... 10
2.6.1 Tosetupyourtenantandmanagesubscriptionsforthefirsttime:...... 102.7 Opening subscriptions and apps from the
My Apps page.............................................................................................................. 112.7.1 ToopensubscriptionsandappsfromtheMyAppspage:....................... 11
3 Configuring authentication settings............................................................12
3.1 Configuring an authentication scheme for your tenant.................................. 123.1.1 Toconfigureanauthenticationschemeforyourtenant:......................... 12
3.2 Creating and managing partitions......................................................................... 133.2.1 Creatingandconfiguringapartition............................................................. 143.2.2 Viewingpartitiondetails.................................................................................. 173.2.3 Viewingpartitionusersandgroups............................................................... 173.2.4 Removingasubscriptionfromapartitionyoucreated............................. 183.2.5 Deletinganauthenticationschemefromapartitionyoucreated.......... 193.2.6 Deletingapartitionyoucreated..................................................................... 193.2.7 ManagingtheNativepartition........................................................................ 19
3.3 Setting up SSO with an identity provider.............................................................233.3.1 Settingupauto-provisioning...........................................................................233.3.2 SynchronizingAzureActiveDirectoryusersandgroups
withAdminCenter...........................................................................................233.4 Setting up the Tunnel Agent....................................................................................303.5 Generating client credentials....................................................................................30
3.5.1 GeneratingclientcredentialsfortheTunnelAgent...................................313.5.2 GeneratingclientcredentialsforAzureActiveDirectory.........................323.5.3 Changingtheexpiryperiodsorpartitionforaccesstokens....................333.5.4 Regeneratingaclientsecretvalue................................................................33
4 Configuring connection settings....................................................................34
4.1 Configuring repository connection settings.......................................................344.1.1 Toconfigureconnectionsettingsforarepositoryother
thanDocumentum:............................................................................................344.1.2 ToconfigureconnectionsettingsforaDocumentumrepository:..........35
5 Managing your tenant..............................................................................................35
5.1 Managing subscriptions...........................................................................................355.1.1 ToopentheSubscriptionspage:...................................................................35
5.2 Customizing Admin Center emails........................................................................365.2.1 Customizingtheimagedisplayedinemails.................................................365.2.2 Customizingthereplyaddressandsendernameinemails....................36
5.3 Viewing tenant details...............................................................................................37
6 Managing users and groups...............................................................................38
6.1 Adding and removing tenant administrators......................................................386.1.1 Addingatenantadministrator........................................................................386.1.2 Resendingemailinvitations.............................................................................396.1.3 Removingatenantadministrator...................................................................39
6.2 Managing tenant users...............................................................................................396.2.1 Viewinguserinformation.................................................................................406.2.2 Disablingandenablinguseraccounts..........................................................406.2.3 Unlockinguseraccounts.................................................................................416.2.4 Resettingusertwo-factorauthenticationsettings....................................416.2.5 Movinguserstoadifferentpartition.............................................................42
6.3 Understanding the Tenant column on the Tenant admins
and Tenant users pages...........................................................................................436.4 Understanding tenant groups.................................................................................44
6.4.1 Creatingatenantgroupmanually.................................................................446.4.2 Editingthenameanddescriptionofamanually
createdtenantgroup........................................................................................466.4.3 Deletingamanuallycreatedtenantgroup...................................................46
OT2 Admin Tenant Administrator Guide
1 OpenText™ OT2 Tenant AdminOT2AdminCenterprovidesTenantAdministratorsaunifiedinterfacetosupporttheintuitivecontrolofapplications,subscriptions,usersandtheiraccess.InOT2AdminCenter,youcanconfiguresettingsatthetenantandthesubscriptionlevel.Tenantadministratorsmustbesetupbeforemanagingsubscriptionsatasubscriptionadministratorlevel.
ThisguideprovidesanoverviewofhowtenantadministratorscanuseOT2AdminCentertosetupyourtenantandmanageandconfiguresettingsforOT2applicationsubscriptions.Youcanaddtenantadministratorsandcreateoneormoretenantgroupstomanageusers.Youcanalsomanagesubscriptionsettingsforappsinyourtenantandassignsubscriptionstousers.
2 Getting started
2.1 Managing your tenants and subscriptions
YourAdminCentertenantcontainsalloftheOT2appsubscriptionsthatyoucanassigntousersinyourorganization.Eachsubscriptionspecifiesusagedetailsforanapp,forexample,thelengthoftimeusersarepermittedtouseanapp,themaximumnumberofuserswhocansubscribetothatapp,andothersubscriptiondetailsconfiguredbyyourOpenTextAccountExecutive.
InAdminCenter,youcanconfiguresettingsattwolevels:thetenantlevelandthesubscriptionlevel.Atthetenantlevel,youcanconfigureauthenticationsettings,repositoryconnectionsettings,andothersettingsthatarecommontomultipleappsonyourtenant.Atthesubscriptionlevel,youcaninviteuserstosubscribetoapps,connectappstoexternalrepositoriesandservices,andconfigureothersubscription-specificsettings.
Youmustsetupyourtenantbeforeyoumanagesubscriptions.
2.2 Understanding the tenant and subscription administrator roles
InAdminCenter,twotypesofadministratorrolesareavailable:tenantadministratorsandsubscriptionadministrators.
TenantadministratorscanperformthefollowingtasksinAdminCenter:
•Manageallofthesubscriptionsonatenant.
•Configuresettingsthatarecommontoallsubscriptionsonatenant,forexample,connectionsettings.
4Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
5
SubscriptionadministratorscanmanageonlythesubscriptionsthatatenantadministratororanothersubscriptionadministratorhasmadeavailabletotheminAdminCenter.
AtenantadministratormustsetupanAdminCentertenantbeforesubscriptionadministratorscanmanagesubscriptions.
Tenantadministratorscanaddanynumberoftenantandsubscriptionadministratorstoatenant.Subscriptionadministratorscanalsoaddanynumberofsubscriptionadministratorstosubscriptions.
2.3 Assigning users to subscriptions
Youcanassignsubscriptionstousersinthefollowingways:
•Bysettingupauto-provisioning.
•BysynchronizinguserandgroupinformationbetweenMicrosoftAzureActiveDirectoryandAdminCenter.
•Byinvitinguserstosubscriptions.
2.3.1 Assigning subscriptions through auto-provisioning
Youcansetupauto-provisioningifyouareusinganexternalusersource,suchasMicrosoftAzureActiveDirectory,toauthenticateusersonyourAdminCentertenant.Ifyousetupauto-provisioning,usersareaddedtoyourtenantandassignedtosubscriptionsaftertheysignintotheOT2platformusingtheircredentialsfromtheusersource.
Formoreinformation,seeSetting up SSO with an identity provider.
2.3.2 Assigning subscriptions through user and group synchronization
IfyouareusingAzureActiveDirectory,youcansynchronizeuserandgroupinformationbetweenAzureActiveDirectoryandyourAdminCentertenant.Inthiscase,AzureActiveDirectoryautomaticallyrunsaprocessatregularintervalstotransferuserandgroupinformationfromyouridentityprovidertoyourAdminCentertenant.Usersandgroupsfromtheidentityproviderarethenaddedtoyourtenantandassignedtosubscriptionsautomaticallyduringthesynchronizationprocess.
Formoreinformation,seeSetting up SSO with an identity provider.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
6
2.3.3 Inviting users to subscriptions
Ifyouchoosenottosetupauto-provisioningoruserandgroupsynchronization,asubscriptionadministratormustinviteuserstosubscriptionsinAdminCenter.
Inthiscase,AdminCenterautomaticallysendsanemailinvitationtoeachuserwhohasbeeninvitedtoasubscription.UserscanthenclickalinkinthatemailtocreateaccountcredentialsontheOT2platform,jointhesubscription,andaccesstheappuntilthesubscriptionexpires.
2.4 Browsing to the tenant and subscription levels
Bydefault,afteryousign-intoAdminCenterasatenantadministrator,theTenant detailspageisopenedandthelinksonthenavigationmenupointtopagesthatletyouconfiguretenantsettings.
Tobrowsetothesubscriptionlevel,clickSubscriptionsonthenavigationmenuandthenclickanyofthesubscriptionsinthesubscriptionslist.Whenyouclickasubscription,thesubscription’sDetailspageisopenedanddifferentlinksappearonthenavigationmenu.Theselinkspointtopagesthatletyouconfiguresettingsforthesubscriptionyouopened.
Tobrowsetothetenantlevelagain,clickthenameofyourtenantinthebreadcrumbtrail.
Tip
FormoreinformationabouttheTenant detailsandSubscriptionspages,seeViewing tenant detailsandManaging subscriptions.
2.5 Preparing to set up your tenant and manage subscriptions
BeforesettingupyourtenantandmanagingsubscriptionsinAdminCenter,youmustcompletethefollowingtasks:
1. Determinewhichauthenticationschemeorschemestoconfigureonyourtenant.Formoreinformation,seeUnderstanding authentication schemes.
2. Confirmthatyoursystemadministratorhasinstalledandconfiguredalloftheon-premisesapplicationsandservicesthatyourappswilluse.Formoreinformation,seePreparing to connect apps to on-premises applications and services.
3. Choosewhetheryouwanttoassigntenantandsubscriptionadministratorrolestousers.Formoreinformation,seeChoosing tenant and subscription administrators for your tenant.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
7
Aftercompletingthesetasks,youcansetupyourtenantandmanagesubscriptionsinAdminCenter.Formoreinformation,seeSample workflow: setting up your tenant and managing subscriptions.
2.5.1 Understanding authentication schemes
AnauthenticationschemespecifieshowusersareauthenticatedwhentheyuseOT2apps.InAdminCenter,youmustconfiguretheauthenticationschemesthatarerequiredfortheappsonyourtenant.
Thefollowingauthenticationschemesareavailable:
Native EnablesyoutouseOpenText™DirectoryServices(OTDS)toauthenticateusers.ThisauthenticationschemeletsyouinviteuserstosubscriptionsmanuallyinAdminCenter.
Hybrid Enablesyoutouseanon-premisesusersource,suchasActiveDirectory,toauthenticateusers.Youcanusethisauthenticationschemeifyouwanttouseacontentrepositorydirectory,suchasOpenText™Documentum™Server,toauthenticateusers.
Thisauthenticationschemeletsyousetupauto-provisioningtoassignuserstosubscriptionsautomatically.
Formoreinformationabouthybridauthentication,seeOpenTextOT2HybridAuthenticationUserGuideonOpenTextMySupport.
SAML EnablesyoutouseaSecurityAssertionMarkupLanguage(SAML)identityprovidertoauthenticateusers.Youcanusethisauthenticationschemeif,forexample,youwanttoconfiguresinglesign-on(SSO)usingaSAMLauthenticationhandler.
Thisauthenticationschemeletsyousetupauto-provisioningtoassignuserstosubscriptionsautomatically.
FormoreinformationaboutconfiguringSAMLauthentication,seethedocumentationforyouridentityprovider.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
8
SCIM and SAML
EnablesyoutouseanidentityproviderthatsupportstheSystemforCross-domainIdentityManagement(SCIM)protocol,forexample,AzureActiveDirectory.Toauthenticateusers,youmustalsoconfigureSAMLauthenticationonyouridentityprovider.
Whenyouusethisauthenticationscheme,usersandgroupsarefirstsynchronizedbetweentheidentityproviderandyourAdminCentertenantovertheSCIMprotocol.Theuserswhoareaddedtothetenantareassignedtosubscriptionsautomatically.
Toaccessapps,userscanprovidetheiridentityprovidercredentialstosignintotheOT2platform.UsersarethenauthenticatedwiththeidentityproviderthroughSAML.
Salesforce EnablesyoutouseSalesforcetoauthenticateusers.Ifyouwanttousethisauthenticationscheme,yoursystemadministratormustintegrateSalesforcewiththeOT2EntitlementandTenantservice,createauserpartitioninOTDStosynchronizeSalesforceaccounts,andenableSSOinSalesforce.
Note
ThisauthenticationschemeisavailableonlyifyourtenanthasanAuthentication schemespage.
Eachappsupportsoneormorespecificauthenticationschemes.Todeterminewhichauthenticationschemesyouneedtoconfigureforeachapp,seetheapp-specificdocumentationonOpenTextMySupport.
InAdminCenter,youcanconfigureoneormoreauthenticationschemesbasedonthetypeoftenantthatyourOpenTextAccountExecutivehasconfiguredforyourorganization.TherearetwotypesoftenantsinAdminCenter
•TenantsthathaveanAuthenticationschemespage.
•TenantsthathaveanAuthpartitionspage.
Tip
Thelinksonthenavigationmenuindicatewhichtypeoftenantyouhave.IfanAuthentication schemes linkappearsonthenavigationmenu,yourtenanthasanAuthentication schemespage.IfanAuth Partitionslinkappearsonthenavigationmenu,yourtenanthasanAuth partitionspage.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
9
2.5.1.1 Tenants that have an Authentication schemes page
IfyourtenanthasanAuthentication schemespage,youcanconfigureonlyoneauthenticationschemeonyourtenantatatimeandalloftheappsonyourtenantmustusethesameauthenticationscheme.Inthiscase,thetenantusesthenativeauthenticationschemebydefault;however,youcanchangeittothehybrid,SAML,orSalesforceauthenticationschemeasneeded.
2.5.1.2 Tenants that have an Auth partitions page
IfyourtenanthasanAuth partitionspage,youcancreatepartitionstoconfiguremultipleauthenticationschemesonyourtenant.
Forexample,ifsomeoftheappsonyourtenantrequirethehybridauthenticationschemeandotherappsrequiretheSAMLauthenticationscheme,youcancreateonepartitionfortheappsthatusethehybridauthenticationschemeandanotherpartitionfortheappsthatusetheSAMLauthenticationscheme.
Bydefault,allappsareaddedtoapartitionthatusesthenativeauthenticationscheme.IfyouwanttousethehybridorSAMLauthenticationscheme,youmustcreateadditionalpartitionsonyourtenant.Formoreinformation,seeCreating and managing partitions.
2.5.2 Preparing to connect apps to on-premises applications and services
YoucanintegratemostOT2appswithon-premisesapplications,forexample,contentrepositoriessuchasOpenText™ContentServerandOpenTextDocumentumServer,andOT2servicesthatenableyoutoretrievedata,runscheduledjobs,andperformotherspecializedtasks.
BeforemanagingsubscriptionsinAdminCenter,youandyoursystemadministratormustconfirmthatyourserverenvironmentmeetsalloftheprerequisitesfortheappsonyourtenant.Forexample,someappsmightrequireon-premisescomponentstobeinstalled.
Formoreinformationabouttheprerequisitesforeachapp,seetheapp-specificdocumentationonOpenTextMySupport.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
10
2.5.3 Choosing a tenant and subscription administrators for your tenant
WhenyousignintoAdminCenterforthefirsttime,youareautomaticallysignedinasatenantadministratorand,bydefault,youaretheonlyadministratoronyourtenant.
Ifyouwanttoallowotheruserstomanageyourtenantorsubscriptionsonyourtenant,youcanassigntenantandsubscriptionadministratorrolestousers.Formoreinformation,seeAdding and removing tenant administratorsand“Adding and removing subscription administrators”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
BeforesettingupyourtenantinAdminCenter,youmustdeterminewhichusersyouwanttoaddastenantandsubscriptionadministrators.
Tip
Formoreinformationaboutthetenantandsubscriptionadministratorroles,seeUnderstanding the tenant and subscription administrator roles.
2.6 Sample workflow: setting up your tenant and managing subscriptions
ThefollowingisasampleworkflowthatyoucanfollowwhenyousignintoAdminCenterforthefirsttimeasatenantadministrator.Youcanadaptthesequenceoftheworkflowstepstosuityourneeds.
Whenyousetupyourtenantforthefirsttime,youmustconfiguresettingsatboththetenantandsubscriptionlevels.
2.6.1 To set up your tenant and manage subscriptions for the first time:
1. Dooneofthefollowing:
•IfyourtenanthasanAuthentication schemespage,configureanauthenticationschemeforyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.
•IfyourtenanthasanAuth partitionspage,optionallycreateoneormorepartitionsonyourtenant.Formoreinformation,seeCreating and managing partitions.
2. Configurerepositoryconnectionsfortheappsonyourtenant.Formoreinformation,seeConfiguring repository connection settings.
3. CustomizetheemailsthatAdminCentersendstousers.Formoreinformation,seeCustomizing Admin Center emails.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
11
4. [Optional]Createoneormoretenantgroupstomanageusers.Formoreinformation,seeCreating a tenant group manually.
5. [Optional]Ifyouwanttoallowotheruserstoconfigurebothtenantandsubscription-levelsettings,addtenantadministratorstoyourtenant.Formoreinformation,seeAdding a tenant administrator.
6. Configuresubscriptionsettingsfortheappsonyourtenantandassignsubscriptionstousersifrequired.Formoreinformation,see“Sample workflow: managing a subscription”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
2.7 Opening subscriptions and apps from the My Apps page
TheMy Apps pagedisplaysalloftheappsthatyouarepermittedtouseandallofthesubscriptionsthatyouarepermittedtomanage.Youcanusethispagetoviewandaccessallofyoursubscriptionsandappsfromacentrallocation.
Tip
Ifasubscriptionadministratorchangesthenameofasubscription,youwillneedtouseanewURLtoaccessthecorrespondingapp.Formoreinformation,see“Renaming your subscription”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
Inthisscenario,youcanobtainthenewappURLfromtheMy Appspage.TheMy AppspagealwayshasthelatestURLsforappsubscriptions.
2.7.1 To open subscriptions and apps from the My Apps page:
1. InAdminCenter,clickMy Appsinthebreadcrumbtrail.
2. Dooneofthefollowing:
•IfyouwanttoopenandmanageasubscriptioninAdminCenter,clickConfigureonthecorrespondingtile.
•Ifyouwanttoopenanapp,clicktheappnameonthecorrespondingtile.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
12
3 Configuring authentication settingsYoucanspecifyhowusersareauthenticatedwhentheyusetheappsonyourtenant.
3.1 Configuring an authentication scheme for your tenant
IfyourtenanthasanAuthentication schemespage,youmustconfigureacommonauthenticationschemeforalloftheappsonyourtenant.
Note
IfyourtenantdoesnothaveanAuthentication schemespage,youcanusepartitionstoconfigureauthenticationschemes.Formoreinformation,seeCreating and managing partitions.
3.1.1 To configure an authentication scheme for your tenant:
1. Atthetenantlevel,clickAuthentication schemesonthenavigationmenu.
2. Selecttheauthenticationschemeyouwanttouseonyourtenant.Formoreinformation,seeUnderstanding authentication schemes.
3. IfyouselectedtheHybridorSAMLauthenticationscheme,dothefollowing:
a. Ifyouwanttosetupauto-provisioningonyourtenant,turnontheAuto Provisioningswitch.Bydefault,thisswitchisturnedoff.
b. IntheNamebox,typeanamefortheconnectionvalues.
c. IntheDescriptionbox,typeadescriptionfortheconnectionvalues.
d.IntheIDP URLbox,specifythesign-inURLofyouridentityprovider.Formoreinformation,contactyoursystemadministrator.
e. IfyouselectedHybrid,turnontheSecure tunnelswitchiftheappsrequiretheTunnelAgent.Otherwise,turnoffthisswitchiftheappsdonotrequiretheTunnelAgent.
Note
Ifyouturnonthisswitch,youmustcompleteadditionaltasksinAdminCentertosetuptheTunnelAgent.Formoreinformation,seeSetting up the Tunnel Agent.
f. Click Save configuration.
4. IfyouselectedtheSAMLauthenticationschemeandenabledauto-provisioning,mapSAMLassertionclaimstoOTDSattributesasneededintheCustomize claim configurationarea.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
13
TypeaSAMLattributenameineachtextboxthatcorrespondstoanOTDSattributeyouwanttomap.ClickSave custom claimstosavethemappings.
ThemappingsareautomaticallytransferredtotheConfigurationpageofyourSAMLauthenticationhandlerinOTDS.Thesemappingsarethenusedtosetandupdateattributesonauto-provisionedSAMLaccounts.
Note
IfyoupreviouslyconfiguredclaimsmappingsfortheauthenticationhandlerinOTDS,theexistingmappingswillbeoverwrittenwiththenewmappingsyouconfigureinAdminCenter.
3.2 Creating and managing partitions
IfyourtenanthasanAuth partitionspage,youcancreatepartitionstoconfiguremultipleauthenticationschemesonyourtenant.
WhenyousignintoAdminCenterforthefirsttime,adefaultpartitioncalledNativeappearsonyourtenant.Bydefault,allsubscriptionsareaddedtothispartitionandusethenativeauthenticationscheme.Ifyouwanttocontinuetouseonlythenativeauthenticationscheme,youdonotneedtocreateadditionalpartitionsonyourtenant.
If,however,youwanttousetheSAML,hybrid,orSCIMandSAMLauthenticationscheme,youmustcreateanewpartitionfortheauthenticationschemeyouwanttouseandthenaddoneormoresubscriptionstothatpartition.Thosesubscriptionswillthenusetheauthenticationschemeassociatedwiththenewpartition,inadditiontothenativeauthenticationscheme.
WhenyoucreatenewpartitionsinAdminCenter,thecorrespondingpartitionsarecreatedautomaticallyinOTDS.Whenusersjoinasubscription,theusersareaddedtothepartitionassociatedwithauthenticationschemetheyusedtosignin.Formoreinformation,seeViewing partition users and groups.
Note
Ifneeded,youcanaddasubscriptiontomultiplepartitionstoallowusersfromdifferentusersourcestojointhesamesubscription.Formoreinformation,seeAdding a subscription to multiple partitions.
IfyourtenantdoesnothaveanAuthpartitionspage,youmustconfigureacommonauthenticationschemeforalloftheappsonyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
14
3.2.1 Creating and configuring a partition
3.2.1.1 To create a partition:
1. Atthetenantlevel,clickAuth Partitionsonthenavigationmenu.
2. ClicktheAddbutton .
3. InthePartition namebox,specifyanameforthepartition.
4. [Optional]IntheDescriptionbox,specifyadescriptionforthepartition.
5. [Optional]IntheDomainbox,specifyoneormoredomainsfromwhichuserswillbepermittedtosignin,forexample,domain.com.Ifyouspecifymultipledomains,separateeachvaluewithacomma(,).
6. Ifyouspecifyoneormoredomains,userswillbepermittedtosignintoappsonthepartitiononlyiftheiremailaddressdomainmatchesadomainyouhavespecified.Ifyouleavethisboxempty,userswillbepermittedtouseanemailaddressfromanydomaintosignin.
7. TurnontheAllow Salesforce SSOswitchifyouplantousetheSAML,hybrid,orSCIMandSAMLauthenticationschemetoauthenticateSalesforceusers.
Note
Ifyouturnonthisswitch,yoursystemadministratormustintegrateSalesforcewiththeOT2EntitlementandTenantservice,createauserpartitioninOTDStosynchronizeSalesforceaccounts,andenableSSOinSalesforce.Formoreinformation,seeOpenText Directory Services – Installation and Administration Guide (OTDS-IWC)andtheSalesforcedocumentation.
8. SelectacolorforthepartitiontilethatwillbedisplayedinAdminCenter.
9. ClickSave.
3.2.1.2 To configure an authentication scheme for the partition:
1. OntheAuth partitionspage,clickthetilethatcorrespondstothepartitionyoucreated.
2. OntheAuthentication schemetab,selecttheauthenticationschemeyouwanttoassociatewiththepartition.Formoreinformation,seeUnderstanding authentication schemes.
3. IntheNamebox,specifyanamefortheauthenticationschemeconfiguration.
4. IntheDescriptionbox,specifyadescriptionfortheauthenticationschemeconfiguration.
5. Inthe Provider Namebox,specifyanametodisplayforyouridentityproviderontheAdminCentersign-inpage.
UserscanselectwhichidentityprovidertousewhentheysignintoAdminCenter.Specifyanamethatwillhelpuserstoidentifyyouridentityprovideronthesign-inpage.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
15
6. IntheProvider URLbox,specifythesign-inURLforyouridentityprovider.
7. Ifneeded,configureoneofthefollowingoptionsbasedontheauthenticationschemeyouselected:
Secure tunnel
Ifyouselectedthehybridauthenticationscheme,turnonthisswitchiftheappsonthepartitionrequiretheTunnelAgent.Otherwise,turnoffthisswitchiftheappsdonotrequiretheTunnelAgent.
Note
Ifyouturnonthisswitch,youmustcompleteadditionaltasksinAdminCentertosetuptheTunnelAgent.Formoreinformation,seeSetting up the Tunnel Agent.
Sign SAML IfyouselectedtheSAMLorSCIMandSAMLauthenticationscheme,turnonthisswitchtoallowOTDStosignSAMLauthenticationrequeststhataresenttoyouridentityprovider.
Youmustturnonthisoptionif,forexample,youaresettingupSAMLauthenticationwithanidentityproviderthatacceptssinglelogoutrequestsonlyifauthenticationrequestsaresigned.
8. IfyouselectedthehybridorSAMLauthenticationscheme,turnonthe Auto Provisioningswitchtoenableauto-provisioningonthepartition.
Note
Tosetupauto-provisioning,youmustcompleteadditionaltasksinbothAdminCenterandyourserverenvironment.Formoreinformation,seeSetting up SSO with an identity provider.
9. ClickSave scheme.
10. IfyouselectedtheSAMLauthenticationschemeandenabledauto-provisioning,mapSAMLassertionclaimstoOTDSattributesasneededintheCustomize claim configuration area.
TypeaSAMLattributenameineachtextboxthatcorrespondstoanOTDSattributeyouwanttomap.ClickSave custom claimstosavethemappings.
ThemappingsareautomaticallytransferredtotheConfigurationpageofyourSAMLauthenticationhandlerinOTDS.Thesemappingsarethenusedtosetandupdateattributesonauto-provisionedSAMLaccounts.
Note
IfyoupreviouslyconfiguredclaimsmappingsfortheauthenticationhandlerinOTDS,theexistingmappingswillbeoverwrittenwiththenewmappingsyouconfigureinAdminCenter.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
16
3.2.1.3 To add subscriptions to the partition:
1. OntheAuth partitionspage,clickthetilethatcorrespondstothepartitionyoucreated.
2. OntheSubscriptionstab,intheAssociated subscriptionsarea,clicktheAddbutton .
3. IntheAssociate subscriptionslist,selectasubscription.
4. ClickAssociate.
5. Repeatthepreviousstepstoaddothersubscriptionstothepartitionasneeded.
Tip
Ifneeded,youcanaddasubscriptiontomultiplepartitionstoallowusersfromdifferentusersourcestojointhesamesubscription.Formoreinformation,seeAdding a subscription to multiple partitions.
3.2.1.4 Adding a subscription to multiple partitions
Youcanaddasubscriptiontomultiplepartitionsif,forexample,youwanttoallowusersfromdifferentusersourcestojointhesamesubscriptionthroughauto-provisioning.
3.2.1.5 Example 2.1: Adding a subscription to multiple partitions
YouwanttoallowusersfrombothanActiveDirectorysystemandanOktasystemtojointhesamesubscriptionthroughauto-provisioning.Todoso,youcancreatethefollowingpartitions:
•Partition1,whichusesthehybridauthenticationschemetoauthenticateusersfromtheActiveDirectorysystem.
•Partition2,whichusestheSAMLauthenticationschemetoauthenticateusersfromtheOktasystem.
IfyouthenaddthesubscriptiontobothPartition1andPartition2,usersfromboththeActiveDirectoryandOktasystemswillbeaddedtothesubscriptionautomaticallywhentheysignintotheOT2platform.InAdminCenter,userswillbeaddedtothepartitionassociatedwithauthenticationschemetheyusetosignin.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
17
3.2.2 Viewing partition details
AfterclickingapartitiontileontheAuth partitionspage,youcanclickthePartition detailstabtoviewinformationaboutthecorrespondingpartition,forexample,thepartitionname,tilecolor,andwhethertheAllow Salesforce SSOoptionisselectedonthepartition.
Onpartitionsthatyouhavecreated,thefollowinginformationalsoappearsonthetab:
•SAML metadata URL:AURLthatspecifiesthelocationoftheSAMLmetadatafile.
•SAML SSO URL:AURLthatspecifiestheSSOsign-inpageofyourSAMLidentityprovider.
•SAML login URL: AURLthatspecifiesthesign-inpageofyourSAMLidentityprovider.
•SCIM Sync URL: AURLthatspecifiesthebaseSCIMendpointforOTDS.
YoucanusetheseURLstoconfigureSSOwithyouridentityprovider.Formoreinformation,seeSetting up SSO with an identity provider.
3.2.3 Viewing partition users and groups
AfterclickingapartitiontileontheAuth partitionspage,youcanclicktheUserstaband,ifapplicable,theGroupstabtoviewalloftheusersandgroupsthatbelongtothecorrespondingpartition.
OntheNativepartition,theUserstablistsalloftheuserswhohavebeeninvitedtoasubscriptionandalloftheuserswhohavejoinedasubscriptionthroughanemailinvitation.
Onpartitionsyouhavecreated,theUsers and Groupstabslistalloftheusersandgroupsthathavebeenaddedtothecorrespondingpartitionthroughauto-provisioningoruserandgroupsynchronization.Forexample,ifausersignsintoanapponapartitionthathasauto-provisioningenabled,thatuserisautomaticallyassignedtothesubscriptionandaddedtothepartition,andtheuser’snameappearsonthepartition’sUserstab.
TheusersoneachUsers tabalsoappearonthefollowingpagesinAdminCenter:
•TheTenant userspage.Formoreinformation,seeManaging tenant users.
•TheUserspageatthesubscriptionlevel.Formoreinformation,see“Managing subscription users”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
Userswhoareaddedtoapartitionthroughauto-provisioningoruserandgroupsynchronizationarealsoaddedtothepartition’stenantgroupontheTenant groupspage.Formoreinformation,seeUnderstanding tenant groups.
Tip
Ifyouwantuserstouseadifferentauthenticationschemeoridentityprovider,youcanmoveuserstoadifferentpartitionontheTenant userspage.Formoreinformation,seeMoving users to a different partition.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
18
3.2.3.1 To view partition users and groups:
1. Atthetenantlevel,clickAuth Partitionsonthenavigationmenu.
2. OntheAuth partitionspage,clickatile.
3. ClicktheUserstabtoviewalloftheuserswhohavebeenaddedtothecorrespondingpartition.
4. Ifyouclickedatileforapartitionyoucreated,clicktheGroupstabtoviewallofthegroupsthathavebeenaddedtothepartition.Ifyouwanttoviewthemembersofagroup,clickagroupnameinthelist.
3.2.4 Removing a subscription from a partition you created
Youcanremoveasubscriptionfromapartitionyoucreatedif,forexample,younolongerwantuserstojointhatsubscriptionautomaticallythroughauto-provisioningoruserandgroupsynchronization.
Afteryouremoveasubscription,alloftheuserswhopreviouslyjoinedthatsubscriptionthroughauto-provisioningoruserandgroupsynchronizationwillremainonthepartitionandcancontinueusingthecorrespondingappwiththeirexistingcredentials.Ifyounolongerwantthoseuserstoaccesstheapp,youmustremovetheusersfromthesubscriptionatthesubscriptionlevel.Formoreinformation,see“Removingauserfromasubscription”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
Note
YoucannotremovesubscriptionsfromtheNativepartition.
3.2.4.1 To remove a subscription from a partition you created:
1. Atthetenantlevel,clickAuth Partitionsonthenavigationmenu.
2. OntheAuth partitionspage,clickapartitiontileandthenclicktheSubscriptionstab.
3. IntheAssociated subscriptions list,clicktheRemovebutton intherowthatcorrespondstothesubscriptionyouwanttoremove.
4. Whenpromptedtoremovethesubscription,clickYes, continue.
3.2.5 Deleting an authentication scheme from a partition you created
Youcandeletetheauthenticationschemethatyouconfiguredforapartitionyoucreatedifyouwanttoconfigureanewauthenticationschemeforthatpartition.
Note
YoucannotremovetheauthenticationschemefromtheNativepartition.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
19
3.2.5.1 To delete an authentication scheme from a partition you created:
1. Atthetenantlevel,clickAuth Partitionsonthenavigationmenu.
2. OntheAuth partitionspage,clickapartitiontileandthenclicktheAuthentication schemetab.
3. ClickDelete scheme.
4. Whenpromptedtodeletetheauthenticationscheme,clickYes, continue.
3.2.6 Deleting a partition you created
Youcandeleteapartitionyoucreatedifitdoesnotcontainsubscriptionsorusers.
Note
YoucannotdeletetheNativepartition.
3.2.6.1 To delete a partition you created:
1. Atthetenantlevel,clickAuth Partitionsonthenavigationmenu.
2. OntheAuth partitionspage,clickapartitiontileandthenclickthePartition detailstab.
3. IntheDetailsarea,clickRemove.
3.2.7 Managing the Native partition
3.2.7.1 Configuring a password policy
UserswhoareinvitedtosubscriptionsmustcreateaccountcredentialsontheOT2platform.Formoreinformation,see Inviting users to subscriptions.TheseusersareautomaticallyaddedtotheNativepartitionwhentheysignintoyourtenant.
InAdminCenter,youcanoptionallyconfigureapasswordpolicytospecifyrulesforcreatingandusingpasswordsontheOT2platform.Forexample,youcanspecifywhetherthepasswordsthatuserscreatemustcontainaminimumnumberofcharactersandsymbols,andyoucanspecifyhowoftenusersarepermittedtochangetheirpasswords.
Bydefault,theNativepartitionusestheglobalpasswordpolicythatisconfiguredinOTDS.YoucanchoosetokeepthedefaultglobalpasswordpolicyoreditthepolicyvaluesinAdminCentertospecifyadifferentsetofrulesforcreatingandusingpasswords.ThepasswordpolicyvaluesyouconfigureinAdminCenteroverridethecorrespondingglobalpasswordpolicyvaluesinOTDS.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
20
1. Atthetenantlevel,clickAuth Partitionsonthenavigationmenu.
2. OntheAuth partitionspage,clicktheNativetile,andthenclicktheLogin settings tab.
3. ClickEdit.
4. Dooneofthefollowing:
•IfyouwanttousetheglobalpasswordpolicythatisconfiguredinOTDS,confirmthattheUse Global Policycheckboxisselected.Bydefault,thischeckboxisselected.
•Ifyouwanttospecifyadifferentsetofpasswordpolicyrules,cleartheUse Global Policycheckboxandconfiguretherulesyouwanttouse.
Eachboxcorrespondstoadifferentrule.Ineachbox,youcantypeanewnumericvalueorusethearrowbuttonstoselectanewvalue.Ifyouwanttodisablearule,specifyavalueof0inthecorrespondingbox.
Formoreinformationabouteachrule,seePassword policy rules.
5. ClickSave.
3.2.7.2 Password policy rules
OntheAuth partitionspage,youcanconfigurethefollowingpasswordpolicyrulesontheLogin settingstab:
Minimum characters Theminimumnumberofcharactersthatusersmustincludeinapassword.
Minimum numeric characters
Theminimumnumberofnumericcharactersthatusersmustincludeinapassword.
Minimum special characters
Theminimumnumberofspecialcharactersthatusersmustincludeinapassword.Examplesofspecialcharactersincludetheexclamationmark(!),atsymbol(@),andhashtag(#).
Minimum uppercase Theminimumnumberofuppercasecharactersthatusersmustincludeinapassword.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
21
Minimum lowercase Theminimumnumberoflowercasecharactersthatusersmustincludeinapassword.
Minimum number character changes from previous
Theminimumnumberofcharactersthatmustbedifferentinanewpasswordifusersreusesequentialcharactersfromanoldpasswordinthenewpassword.
Do not allow reuse of last (x) passwords
Thenumberofpasswordsthatmustbeuniquebeforeuserscanreuseanoldpassword.
Maximum continuous characters from username
Themaximumnumberofsequentialcharactersthatuserscanrepeatfromtheirusernamewhencreatingorchangingapassword.
Allow password change after (x) days
Theminimumnumberofdaysthatmusttakeplacebeforeuserscanchangeapassword.
Password expires in (x) days
Thenumberofdaysthatmusttakeplacebeforeapasswordexpiresandmustbechanged.
Attempts before lockout
Themaximumnumberofinvalidpasswordattemptsthatuserscanmakebeforetheyarelockedoutoftheiraccounts.
Lockout duration in minute
Thelengthoftime,inminutes,forwhichusersarelockedoutoftheiraccountsiftheyexceedthemaximumnumberofinvalidpasswordattempts.LockedaccountsareunlockedautomaticallywhentheLockout duration in minutesperiodexpires.
Tip
IfauserneedstoaccessalockedaccountbeforetheLockout duration in minutesperiodexpires,youcanunlocktheaccountmanuallyontheTenant users page.Formoreinformation,seeUnlocking user accounts
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
22
3.2.7.3 Configuring two-factor authentication
Ifneeded,youcanenabletwo-factorauthenticationontheNativepartitiontoprotectyourtenantfromunauthorizedaccess.
Bydefault,two-factorauthenticationisdisabledanduserswhoareaddedtotheNativepartitionarepromptedtoprovideonlytheirOT2accountcredentialswhentheysignintoyourtenant.
Ifyouenabletwo-factorauthentication,userswhoareaddedtotheNativepartitionarepromptedtoprovideboththeirOT2accountcredentialsandanauthenticationcodewhentheysignintoyourtenantforthefirsttime.Usersmustuseanauthenticatorapp,suchasMicrosoftAuthenticatororGoogleAuthenticator,onamobiledevicetogenerateanauthenticationcodeusingeithertheQRcodeorsecretkeythatappearsontheAdminCentersign-inpage.Usersmustthenenterthegeneratedauthenticationcodeonthesign-inpagetoaccessyourtenant.
Whenyouenabletwo-factorauthentication,youcanspecifywhetherusersmustenteranauthenticationcodeeachtimetheysignintoyourtenantorwhetheruserscanskipthetwo-factorauthenticationprocessiftheyhavealreadyenteredanauthenticationcodeforadevice.
1. Atthetenantlevel,clickAuth Partitionsonthenavigationmenu.
2. OntheAuth partitionspage,clicktheNativetile,andthenclicktheLoginsettingstab.
3. ClickEdit.
4. IntheTwofactorauthsettingsarea,selectEnable 2FAtoenabletwo-factorauthenticationonthepartition.
5. [Optional]CleartheAllow skip of known devicescheckboxifyouwanttohidetheDon’t ask me for a code again when I log in from this devicecheckboxfromtheAdminCentersign-inpagewhentwo-factorauthenticationisenabled.Inthiscase,userswillneedtoenteranauthenticationcodeeachtimetheysignintoyourtenant.
Bydefault,theAllowskipofknowndevicescheckboxisselectedandtheDon’t ask me for a code again when I log in from this devicecheckboxappearsontheAdminCentersign-inpagewhentwo-factorauthenticationisenabled.Inthiscase,userswhoselectDon’t ask me for a code again when I log in from this devicewillnotneedtoenteranauthenticationcodetosigniniftheyhavealreadycompletedthetwo-factorauthenticationprocessonadevice.
6. ClickSave.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
23
3.3 Setting up SSO with an identity provider
AdminCentersupportsSAML-basedSSOwithidentityproviderssuchasOktaandAzureActiveDirectory.
IfyouwanttosetupSAML-basedSSOwithAdminCenter,youcandoeitherofthefollowing:
•Setupauto-provisioningwithanidentityproviderthatsupportsSAML.
•SetupuserandgroupsynchronizationbetweenAzureActiveDirectoryandAdminCenter.
3.3.1 Setting up auto-provisioning
Youcansetupauto-provisioningifyouwanttoconfigureSSOwithanidentityproviderthatsupportsSAMLauthentication,forexample,OktaorAzureActiveDirectory.
Afteryousetupauto-provisioning,usersfromtheidentityproviderareautomaticallyaddedtoyourAdminCentertenantandassignedtosubscriptionswhentheysignintotheOT2platformusingtheircredentialsfromtheidentityprovider.
3.3.2 Synchronizing Azure Active Directory users and groups with Admin Center
IfyouareusingAzureActiveDirectory,youcansetupaprocesstosynchronizeuserandgroupinformationautomaticallybetweenAzureActiveDirectoryandyourAdminCentertenant.
Afteryousetupuserandgroupsynchronization,usersandgroupsfromtheidentityproviderareautomaticallyaddedtoapartitiononyourAdminCentertenantduringthesynchronizationprocess.Asaresult,theseusersandgroupsareautomaticallyassignedtoallofthesubscriptionsonthatpartition.
IfyouadduserstoorremoveusersfromtheAzureActiveDirectorysystem,thecorrespondingusersareautomaticallyaddedtoorremovedfromyourAdminCentertenantthenexttimeAzureActiveDirectoryrunsthesynchronizationprocess.
Whenyousetupuserandgroupsynchronization,youmustalsosetupSAMLauthenticationtoenableuserstosignintoAdminCenterusingtheirAzureActiveDirectorycredentials.
Note
Duringthesynchronizationprocess,AzureActiveDirectorycommunicateswithOTDSandAdminCenterovertheSCIMprotocol.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
24
3.3.2.1 SSO scenarios
TosetupSSOwithanidentityprovider,youneedtocompletesometasksinyourserverenvironmentandsometasksinAdminCenter.
3.3.2.1.1 Scenario 1: Setting up SAML-based SSO with an Okta system
ThefollowingproceduredescribeshowtosetupSAML-basedSSOwithOktathroughauto-provisioning.
Note
FormoreinformationaboutOkta,seetheOktaHelpCenter.
1. InAdminCenter,dothefollowing:
•IfyourtenanthasanAuthpartitionspage,createanewpartitionwithoutconfiguringanauthenticationschemeforit.Onthatpartition,addsubscriptionsfortheappsyouwanttoallowuserstoaccess.Formoreinformation,seeCreatingandconfiguringapartition.
•CopytheSAML SSO URLandSAML Metadata URLvaluesfromtheAuth partitionsorTenant detailspagetoalocationwhereyoucanaccessthemeasilylater.
IfyourtenanthasanAuth partitionspage,theseURLsappearonthenewpartition’sPartition detailstab.Formoreinformation,seeViewingpartitiondetails.
IfyourtenanthasanAuthentication schemespage,theseURLsappearontheTenant details page.Formoreinformation,seeViewingtenantdetails.
2. InOktaAdminConsole,createanewSSOapplication.Formoreinformation,see“Create your integration”intheOktaDeveloperPlatformhelp.
Whencreatingthenewapplication,youmustdothefollowingontheConfigure SAMLtab:
a. IntheSingle Sign on URLbox,specifytheSAML SSO URLvalueyoucopiedfromAdminCenter.
b.SelecttheUse this for Recipient and Destination URLcheckbox.
c. IntheAudience URI (SP Entity ID)box,specifytheSAML Metadata URLvalueyoucopiedfromAdminCenter.
d.IntheName ID formatlist,selectEmail Address.
e.[Optional]Ontheadvancedsettingspage,settheResponse and Assertion Signature valuestoSignedifyouwantSAMLresponsesandassertionstobesigned.
3. Whenyouarefinishedcreatingtheapplication,clicktheIdentity provider metadatalinktocopytheidentityproviderURL.PastetheURLtoalocationwhereyoucanaccessiteasilylater.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
25
4. InAdminCenter,dooneofthefollowing:
a. IfyourtenanthasanAuth partitionspage,gototheAuthentication schemetabthatbelongstothepartitionyoucreatedinstep1,andconfiguretheSAMLauthenticationschemeonthatpartition.Formoreinformation,seeCreating and configuring a partition.
b.IfyourtenanthasanAuthentication schemespage,configuretheSAMLauthenticationschemeonyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.
Whenconfiguringtheauthenticationscheme,youmustdothefollowing:
c.ConfirmthattheAuto Provisioningswitchisturnedon.
d.IntheProvider URLbox,providetheidentifyproviderURLyoucopiedfromtheOktasystem.
UserscanthensignintoAdminCenterusingtheircredentialsfromtheOktasystem.Aftertheysignin,usersareaddedtotheAdminCenterpartitionorsiteautomaticallyandcanaccessthecorrespondingapp.
3.3.2.1.2 Scenario 2: Setting up SAML-based SSO with Azure Active Directory
ThefollowingproceduredescribeshowtosetupSAML-basedSSOwithAzureActiveDirectorythroughauto-provisioning.
Note
FormoreinformationaboutAzureActiveDirectory,seetheAzureActiveDirectorydocumentation.
1. InAdminCenter,dothefollowing:
a. IfyourtenanthasanAuth partitionspage,createanewpartitionwithoutconfiguringanauthenticationschemeforit.Onthatpartition,addsubscriptionsfortheappsyouwanttoallowuserstoaccess.Formoreinformation,seeCreating and configuring a partition.
b.CopytheSAML Login URLandSAML SSO URLvaluesfromAdminCentertoalocationwhereyoucanaccessthemeasilylater.
IfyourtenanthasanAuth partitionspage,thesevaluesappearonthenewpartition’sPartition detailstab.Formoreinformation,seeViewing partition details.
IfyourtenanthasanAuthentication schemespage,thesevaluesappearontheTenant detailspage.Formoreinformation,seeViewing tenant details.
2. SignintoAzureActiveDirectoryanddothefollowingtoaddanon-galleryapplication:
a.ClickEnterprise applications.
b.ClickNew applicationandselectNon-gallery application.
c.SpecifyanamefortheapplicationandclickAdd.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
26
3. ToconfigureSAMLauthenticationfortheapplication,dothefollowinginAzureActiveDirectory:
a.Clicktheapplicationnameinthelistofenterpriseapplications.
b.ClickSingle Sign-on.
c.OntheSelect a single sign-on methodpage,selectSAML.
d.OntheSet up Single Sign-On with SAMLpage,dothefollowing:
i. IntheBasic SAML Configurationarea,specifythefollowingvalues:
• IntheIdentifier(EntityID)box,specifytheSAMLLoginURLvalueyoucopiedfromAdminCenter.
• IntheReplyURL,Sign-onURL,andLogoutURLboxes,specifytheSAMLSSOURLvalueyoucopiedfromAdminCenter.
ii. IntheUser Attributes & Claimsarea,dothefollowing:
•ChangethedefaultmappingofEmailaddresstouser.userprincipalname.
•Changethedefaultmappingofnametouser.displayname.
•ClickAdd a group claim.IntheGroup Claimsdialogbox,selectAll Groups,andthenclickSave.
iii.FromtheAdditional claimsarea,copyalloftheclaimnameURLsandpastethemtoalocationwhereyoucanaccessthemeasilylater.
iv.IntheSAML Signing Certificatearea,copytheApp federation metadata URLvalueandpasteittoalocationwhereyoucanaccessiteasilylater.
4. InAdminCenter,dooneofthefollowingtoconfigureanauthenticationschemeforyourpartitionorsite:
a. IfyourtenanthasanAuth partitionspage,gototheAuthentication schemetabthatbelongstothepartitionyoucreatedinstep1,andconfiguretheSAMLauthenticationscheme.Formoreinformation,seeCreating and configuring a partition.
b.IfyourtenanthasanAuthentication schemespage,configuretheSAMLauthenticationschemeonyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.
Whenconfiguringtheauthenticationscheme,youmustdothefollowing:
c.ConfirmthattheAuto Provisioningswitchisturnedon.
d.IntheProvider URLbox,providetheApp federation metadata URLvalueyoucopiedfromtheAzureActiveDirectorysystem.
e. IntheCustomize claim configurationarea,configurethefollowingmappings:
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
27
Admin Center value Azure Active Directory claim value
Mail http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Displayname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Group http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
5. InAzureActiveDirectory,createoneormoreusersandgroups.Formoreinformation,seehttps://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/.
6. Toallowthoseusersandgroupstoaccessanapponthepartitionorsite,doeitherofthefollowing:
a. Sendtheapp’ssubscriptionURLtoeachuserandgroup.Todoso,copythesubscriptionURLfromtheDetailspageinAdminCenterandthenpastetheURLinanemailthatyousendtousers.Formoreinformation,see“Sharing the subscription URL with users”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
UserscanthenclickthesubscriptionURLtoaccesstheapp’ssign-inpageandprovidetheirAzureActiveDirectorycredentialstosignin.
b.Assignanapproletoeachuserorgroupatthesubscriptionlevel.Formoreinformation,see“Assigning app roles to users or groups on the Roles page”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
Userswillthenreceiveanemailinvitationautomatically.UserscanclickthesubscriptionURLinthatemailtoaccesstheapp’ssign-inpageandprovidetheirAzureActiveDirectorycredentialstosignin.
Aftertheysignin,usersareaddedtotheAdminCenterpartitionorsiteautomaticallyandcanaccessthecorrespondingapp.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
28
3.3.2.1.3 Scenario 3: Setting up SCIM synchronization with Azure Active Directory
Note
YoucancompletethisprocedureifyourAdminCentertenanthasanAuth partitionspage.YoucannotcompletethisprocedureifyoutenanthasanAuthentication schemespage.
FormoreinformationaboutAzureActiveDirectory,seetheAzureActiveDirectorydocumentation.
1. InAdminCenter,dothefollowing:
a.Createanewpartitionwithoutconfiguringanauthenticationschemeforit.Onthatpartition,addsubscriptionsfortheappsyouwanttoallowuserstoaccess.Formoreinformation,seeCreating and configuring a partition.
b.Onthenewpartition’sPartition detailstab,copytheSCIM Sync URL, SAML SSO URL,andSAML Login URLvaluestoalocationwhereyoucanaccessthemeasilylater.Formoreinformation,seeViewing partition details.
c.OntheAPI service credentials page,generateclientcredentialsforAzureActiveDirectoryatthetenantlevel.Formoreinformation,seeGenerating client credentials for Azure Active Directory.
2. SignintoAzureActiveDirectoryanddothefollowingtoaddanon-galleryapplication:
a.ClickEnterprise applications.
b.ClickNew applicationandselectNon-gallery application.
c.SpecifyanamefortheapplicationandclickAdd.
3. Clicktheapplicationnameinthelistofenterpriseapplications.
4. ClickProvisioning.
5. OntheProvisioningpage,dothefollowing:
a. IntheAdmin Credentialsarea,intheTenant URLbox,specifytheSCIM Sync URLvalueyoucopiedfromAdminCenter.
b.IntheMappingsarea,clickProvision Azure Active Directory Users.OntheAttribute Mappingpage,changetheSource Attribute valueofthemailattributetouserPrincipalName.
c. IntheSettings area,settheProvisioning StatusvaluetoOn.FormoreinformationabouttheProvisioningpage,see“Managing user account provisioning for enterprise apps in the Azure portal”intheAzureActiveDirectorydocumentation.
6. ToconfigureSAMLauthenticationfortheapplication,dothefollowing:
a.ClickSingle Sign-on.
b.OntheSelect a single sign-on methodpage,selectSAML.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
29
c.OntheSet up Single Sign-On with SAMLpage,dothefollowing:
i. IntheBasic SAML Configurationarea,specifythefollowingvalues:
• IntheIdentifier (Entity ID)box,specifytheSAML Login URLvalueyoucopiedfromAdminCenter.
• IntheReply URL, Sign-on URL,andLogout URLboxes,specifytheSAML SSO URLvalueyoucopiedfromAdminCenter.
ii. IntheUser Attributes & Claimsarea,dothefollowing:
•ChangethedefaultmappingofEmailaddresstouser.userprincipalname.
•Changethedefaultmappingofnametouser.displayname.
•ClickAdd a group claim.IntheGroup Claimsdialogbox,selectAll Groups,andthenclickSave.
iii.IntheSAML Signing Certificatearea,copytheApp federation metadata URLvalueandpasteittoalocationwhereyoucanaccessiteasilylater.
7. InAdminCenter,configuretheSCIM and SAMLauthenticationschemeonyourtenant.Formoreinformation,seeConfiguring an authentication scheme for your tenant.
IntheProvider URLbox,providetheApp federation metadata URL valueyoucopiedfromtheAzureActiveDirectorysystem.
8. InAzureActiveDirectory,createalloftheusersandgroupsyouwanttosynchronize.Formoreinformation,seehttps://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/.
AfterAzureActiveDirectoryrunsthesynchronizationprocessforthefirsttime,usersandgroupsautomaticallyappearontheUsersandGroupstabsonthepartitionyoucreatedinAdminCenter.
9. Toallowusersandgroupstoaccessanapponthepartitionorsite,doeitherofthefollowingafterthesynchronizationprocesstakesplace:
a. Sendtheapp’ssubscriptionURLtoeachAzureActiveDirectoryuserandgroup.Todoso,copythesubscriptionURLfromtheDetailspageinAdminCenterandthenpastetheURLinanemailthatyousendtousers.Formoreinformation,see“Sharing the subscription URL with users”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
UserscanthenclickthesubscriptionURLtoaccesstheapp’ssign-inpageandprovidetheirAzureActiveDirectorycredentialstosignin.
b.AssignanapproletoeachAzureActiveDirectoryuserorgroupatthesubscriptionlevel.Formoreinformation,see“Assigning app roles to users or groups on the Roles page”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
Userswillthenreceiveanemailinvitationautomatically.UserscanclickthesubscriptionURLinthatemailtoaccesstheapp’ssign-inpageandprovidetheirAzureActiveDirectorycredentialstosignin.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
30
3.4 Setting up the Tunnel Agent
TheTunnelAgentisanon-premisescomponentthatenablesOT2appstocommunicatesecurelywithon-premisesrepositoriesandapplicationsbehindafirewall.
IfyouconfiguredtheHybridauthenticationschemeonatenantorpartitionandyoursystemadministratorhaschosentoinstallandconfiguretheTunnelAgentinyouron-premisesenvironment,youmustcompletethefollowingtasks:
1. TurnontheSecure tunnelswitchfortheHybridauthenticationscheme.Formoreinformation,seeConfiguring an authentication scheme for your tenantorCreating and configuring a partition.
2. GenerateclientcredentialsfortheTunnelAgent.Formoreinformation,seeGenerating client credentials.
3. TurnontheSecure tunnel switchwhenyouconfigurerepositoryconnections.Formoreinformation,seeConfiguring connection settings.
FormoreinformationabouttheTunnelAgent,seetheOpenText OT2 Tunnel Agent Configuration GuideonOpenTextMySupport.
3.5 Generating client credentials
ClientcredentialsenableclientstorequestOAuthaccesstokenstoaccessresources.
WhensettingupyourAdminCentertenant,youmustgenerateclientcredentialsinthefollowingscenarios:
If the apps on your tenant require the Tunnel Agent.
Inthisscenario,youmustgenerateclientcredentialsinAdminCenterandprovidethemtoyoursystemadministrator.YoursystemadministratorcanthenusetheclientcredentialsyouprovidetoconfiguretheTunnelAgentinyourorganization’sserverenvironment.AftertheTunnelAgentisconfigured,theclientcredentialsenabletheTunnelAgenttorequestOAuthaccesstokenstocommunicatewithAdminCenter.
FormoreinformationabouttheTunnelAgent,seeSetting up the Tunnel Agent.
If you want to synchronize users and groups between Azure Active Directory and your Admin Center tenant automatically.
Inthisscenario,ifyouconfiguredAzureActiveDirectorytosynchronizeusersandgroupsautomatically,theclientcredentialsthatyougenerateinAdminCenterenableAzureActiveDirectorytorequestOAuthaccesstokenstocommunicatewithOTDSandAdminCenterusingtheSCIMprotocol.
Formoreinformation,seeSynchronizing Azure Active Directory users and groups with Admin Center.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
31
Tip
FormoreinformationabouttheOAuthframework,seehttps://oauth.net/.
3.5.1 Generating client credentials for the Tunnel Agent
Note
YoucanalsogenerateclientcredentialsfortheTunnelAgentatthesubscriptionlevelif,forexample,youwanteachapptousedifferentclientcredentials.Formoreinformation,see“Generating client credentials for the Tunnel Agent”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
1. Atthetenantlevel,clickAPI service credentialsonthenavigationmenu.
2. OntheAPI service credentialspage,clicktheAddbutton ,andselectCreate API key.
3. IntheDescriptionbox,typeadescriptionforthecredentials.
4. IntheAccess token lifetime (seconds)box,specifythelengthoftime,inseconds,thattheOAuthaccesstokenwillbevalidforafteritisgenerated.Thedefaultvalueis900seconds.
5. IntheRefresh token lifetimebox,specifythelengthoftime,inseconds,thattheOAuthrefreshtokenwillbevalidforafteritisgenerated.Thedefaultvalueis28800seconds.
6. ClickCreatetogeneratetheclientcredentials.
7. ClickCopytocopytheclientIDandclientsecretvaluestoyourclipboard.Pastethesevaluestoalocationwhereyoucanaccessthemeasilylater.
8. ClickOk, I understandtoclosethedialogbox.
Note
YoumustprovidetheclientIDandclientsecretvaluesyougeneratedtoyoursystemadministrator.
3.5.2 Generating client credentials for Azure Active Directory
Note
Beforecompletingthisprocedure,youmustcreateapartitioninAdminCenter.Formoreinformation,seeScenario 3: Setting up SCIM synchronization with Azure Active Directory.
1. Atthetenantlevel,clickAPI service credentialsonthenavigationmenu.
2. OntheAPI service credentials page,clicktheAddbutton ,andselectCreate SCIM Oauth Key.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
32
3. IntheClient IDbox,specifytheclientIDvalueoftheOAuthclient.ThisvaluemusttaketheformAZURE_SCIM_directory_ID,wheredirectory_IDisthedirectoryIDvaluefromAzureActiveDirectory.
Tip
ThedirectoryIDvalueislocatedonthePropertiespageinAzureActiveDirectory.
Formoreinformation,see“Quickstart: Set up a tenant”intheAzureActiveDirectorydocumentation.
4. IntheAccess token lifetime (seconds)box,specifythelengthoftime,inseconds,thattheOAuthaccesstokenwillbevalidforafteritisgenerated.Thedefaultvalueis900seconds.
5. IntheRefresh token lifetimebox,specifythelengthoftime,inseconds,thattheOAuthrefreshtokenwillbevalidforafteritisgenerated.Thedefaultvalueis28800seconds.
6. InthePartitionlist,selectthepartitionyoucreatedtosynchronizeAzureActiveDirectoryusersandgroups.
7. ClickCreatetogeneratetheclientcredentials.
8. ClickOk, I understandtoclosethedialogbox.
3.5.3 Changing the expiry periods or partition for access tokens
Aftergeneratingclientcredentials,youcanoptionallyincreaseordecreasetheexpiryperiodsfortheOAuthaccesstokensthatareusedtocommunicatewithAdminCenter.
IfyougeneratedclientcredentialsforAzureActiveDirectory,youcanalsoassignthegeneratedclientcredentialstoadifferentAdminCenterpartitionif,forexample,youwanttosynchronizeAzureActiveDirectoryuserandgroupinformationwithanewpartition.
1. Atthetenantlevel,clickAPI service credentialsonthenavigationmenu.
2. ClicktheMore optionsbutton intherowthatcorrespondstothecredentialsforwhichyouwanttochangetheaccesstokenexpiryperiodsorpartitionandselectEdit.
3. IntheAccess token lifetime (seconds)andRefresh token lifetime (seconds)boxes,specifynewexpiryperiodsfortheOAuthaccessandrefreshtokensasneeded.Youcantypenewnumericvaluesorusethearrowbuttonstoselectnewvalues.
4. Inthe Partitionslist,selectanewpartitionfortheclientcredentialsasneeded.
5. ClickUpdate.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
33
3.5.4 Regenerating a client secret value
Ifyouneedtochangetheclientsecretvalueyouareusingforsecurityreasons,youcangenerateanewclientsecretvalueforanexistingclientID.Afteryouregenerateaclientsecretvalue,thenewclientsecretvalueisassociatedwiththeexistingclientIDandtheoldclientsecretvalueisdisabled.
1. Atthetenantlevel,clickAPI service credentialsonthenavigationmenu.
2. ClicktheMore optionsbutton intherowthatcorrespondstothecredentialsforwhichyouwanttoregeneratetheclientsecretvalueandselectRegenerate.
3. TheRegenerate credentials dialogboxdisplaysthedescription,clientID,andaccesstokenexpiryperiodsforthenewclientsecretvalueyouwillgenerate.Thesevaluesareread-only.
4. ClickRegeneratetogenerateanewclientsecretvalue.
5. IfyouneedtoprovidethenewclientsecretvaluetoyoursystemadministratortoconfiguretheTunnelAgent,clickCopytocopytheclientsecretvalueyougeneratedtoyourclipboardandpastethisvaluetoalocationwhereyoucanaccessiteasilylater.
6. ClickOk, I understandtoclosethedialogbox.
4 Configuring connection settingsIfyouneedtoconnectappstoon-premisesrepositories,suchasContentServerandDocumentumServer,youmustconfigurerepositoryconnectionsonyourtenant.Youmustconfigureaconnectionforeachrepositorytowhichyouwanttoconnectapps.
OntheConnectionspage,youcanconfigureconnectionsettingsforDocumentumServerrepositoriesontheD2connectionstab.Youcanconfigureconnectionsettingsforallothertypesofrepositories,suchasContentServerandSalesforce,ontheGeneral connectionstab.
AfteryouconfigureD2connectionsatthetenantlevel,subscriptionadministratorscanselectthoseconnectionsforappsatthesubscriptionlevel.Formoreinformation,see“Connecting an app to one or more repositories”inOpenTextOT2AdminCenter-SubscriptionAdministratorHelp.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
34
4.1 Configuring repository connection settings
4.1.1 To configure connection settings for a repository other than Documentum:
1. Atthetenantlevel,clickConnectionsonthenavigationmenu.
2. ClicktheGeneral connectionstab.
3. ClicktheAdd button .
4. IntheConnection namebox,typeanamefortheconnection.
5. [Optional]IntheDescriptionbox,typeadescriptionfortheconnection.
6. IftheTunnelAgentisconfiguredinyouron-premisesenvironment,turnontheUse secure tunnelswitch.Formoreinformation,seeSetting up the Tunnel Agent.
7. IntheConnection typelist,selectaconnectiontype.
8. Specifyparametervaluesfortheconnectiontypeyouselected.Formoreinformationaboutthevaluesyoucanspecify,seethedocumentationforyourapponOpenTextMySupportorcontactyoursystemadministrator.
9. ClickTest connectiontotesttheconnection.
10. ClickSave.
4.1.2 To configure connection settings for a Documentum repository:
1. Atthetenantlevel,clickConnectionsonthenavigationmenu.
2. ClicktheD2 connectionstab.
3. ClicktheAdd button .
4. IntheConnection namebox,typeanamefortheconnection.
5. IntheDescriptionbox,typeadescriptionfortheconnection.
6. IntheConnection URLbox,typetheURLfortheDocumentumServersystemyouwanttoconnecttooneormoreapps.
7. IftheTunnelAgentisconfiguredinyouron-premisesenvironment,turnontheSecure tunnelswitch.Formoreinformation,seeSetting up the Tunnel Agent.
8. ClickTest connectiontotesttheconnection.
9. ClickSave.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
35
5 Managing your tenantAtthetenantlevel,youcanconfigureemailnotificationsettingsandothersettingsthatapplytoallofthesubscriptionsonyourtenantbydefault.Youcanalsoviewtenantandsubscriptioninformation.
5.1 Managing subscriptions
TheSubscriptionspagelistsalloftheappsubscriptionsthatyouarepermittedtomanageonyourtenant.Youcanusethispagetoviewinformationabouteachsubscription,forexample,thesubscriptionURLandnumberofdaysleftinthesubscription.
5.1.1 To open the Subscriptions page:
Atthetenantlevel,clickSubscriptionsonthenavigationmenu.
Tip
Ifyouwanttomanageasubscription,clickasubscriptioninthelist.Formoreinformationaboutmanagingsubscriptions,seeOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
5.2 Customizing Admin Center emails
Youcancustomizetheimage,replyemailaddress,andsendernamedisplayedinallemailsthatAdminCentersendsforallsubscriptionsonyourtenant,forexample,emailsyousendtoinviteuserstosubscribetoappsandinviteuserstobecometenantandsubscriptionadministrators.
5.2.1 Customizing the image displayed in emails
Beforecustomizingtheimage,youmustsavethe.png,.gif,or.svgimagefileyouwanttouseinapubliclocation,forexample,asharedfolderonanon-premisesserver.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
36
5.2.1.1 To customize the image displayed in emails:
1. Atthetenantlevel,clickEmail notificationsandthenclickLogoonthenavigationmenu.
2. Inthetextbox,typethefullyqualifiedURLoftheimagefileyouwanttouse,forexample,https://server.domain.com/PublicFolder/logo.png.TheURLmuststartwithhttps.
3. ClickAPPLY.
4. ClickSave.
5.2.2 Customizing the reply address and sender name in emails
5.2.2.1 To customize the reply address and sender name in emails:
1. Atthetenantlevel,clickEmail notificationsandthenclickSenderonthenavigationmenu.
2. IntheSender box,typethereplyemailaddressyouwanttouse.
3. IntheDisplay Namebox,typethesendernameyouwanttouse.
4. ClickSave.
5.3 Viewing tenant details
YoucanusetheTenant details pagetoviewinformationaboutyourtenant.
IfyourtenanthasanAuth partitionspage,thefollowinginformationappearsontheTenant detailspage:
•Partitions: Thepartitionsonyourtenant.
•Tenant name: ThetenantnamespecifiedbyyourOpenTextAccountExecutive.
•Tenant ID: TheuniqueIDofyourtenant.AdminCenterautomaticallyassignsauniqueIDtoeachtenant.Ifyouaremanagingappsonmultipletenants,youcanclickthe specify a different tenantlinkontheAdminCentersign-inpageandprovideatenantIDtoswitchtothattenant.
•Company description:ThecompanydescriptionspecifiedbyyourOpenTextAccountExecutive.
•External ID:TheexternalIDofyourtenantspecifiedbyyourOpenTextAccount Executive.
•Registered since: ThedateonwhichthetenantwascreatedinAdminCenter.
•Language: Thedefaultlanguagethatisselectedforyourtenant.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
37
Ifyourtenanthasan Auth partitions page,thefollowinginformationappearsontheTenant detailspage:
•Tenant name: ThetenantnamespecifiedbyyourOpenTextAccountExecutive.
•Tenant email domains:Thedomainordomainsinwhichthetenantislocated.
•Registered since: ThedateonwhichthetenantwascreatedinAdminCenter.
•Tenant users: Thetotalnumberofuserswhoareassignedtosubscriptionsonthe tenant.
•Subscriptions: Thesubscriptionsthatareavailableonthetenant.Eachicon representsadifferentsubscription.
•SAML metadata URL: AURLthatspecifiesthelocationoftheSAMLmetadatafile.
•SAML SSO URL: AURLthatspecifiestheSSOsign-inpageofyourSAMLidentity provider.
•SAML login URL: AURLthatspecifiesthesign-inpageofyourSAMLidentityprovider.
•SCIM Sync URL: AURLthatspecifiesthebaseSCIMendpointforOTDS.
Tip
YoucanusetheURLvaluestoconfigureauto-provisioningonyouridentityprovider.Formoreinformation,seeSSO scenarios.
6 Managing users and groupsAtthetenantlevel,youcanaddandremovetenantadministrators,monitorusersubscriptions,andcreateandmanagetenantgroups.
6.1 Adding and removing tenant administrators
Youcanaddtenantadministratorsifyouwanttoallowotheruserstoconfiguretenantsettingsandmanageallofthesubscriptionsonyourtenant.
Whenyouaddatenantadministratortoyourtenant,AdminCentersendsanemailinvitationtothatuserattheemailaddressyouspecify.Theuser’sstatusisalsosetto Invitation PendingontheTenant adminspage.TheusermustclickthelinkinthatemailtoregisteranaccountontheOT2platformandsignintoAdminCenter.Aftertheusersignsin,theuser’sstatuschangestoActiveontheTenant adminspage.TheusermustusethatemaillinkandtheregisteredOT2credentialstosigninasatenantadministratorinthefuture.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
38
Tip
IfyourtenanthasanAuthentication schemespage,aTenantcolumnappearsontheTenant adminsandTenant userspages.Thiscolumnindicateswhethereachuserisinternalorexternalonthecurrenttenant.Formoreinformation,see Understanding the Tenant column on the Tenant admins and Tenant users pages.
6.1.1 Adding a tenant administrator
1. Atthetenantlevel,clickTenant adminsonthenavigationmenu.
2. ClicktheAddbutton .
3. Inthetextbox,typeanemailaddressorsearchforandselecttheemailaddressthatbelongstotheuseryouwanttoaddasatenantadministrator.
4. ClickInvite.
6.1.2 Resending email invitations
Ifneeded,youcanresendemailinvitationstouserswhohaveanInvitation PendingstatusontheTenant adminspage.FormoreinformationabouttheInvitation Pendingstatus,seeAdding and removing tenant administrators.
1. Atthetenantlevel,clickTenant adminsonthenavigationmenu.
2. ClicktheMore optionsbutton intherowthatcorrespondstotheuserwhoyouwanttoresendtheinvitationto.
3. SelectResend invite.
4. [Optional]Inthetextbox,typeanewemailaddresstowhichtosendtheinvitation.
5. ClickResend.
6.1.3 Removing a tenant administrator
1. Atthetenantlevel,clickTenant adminsonthenavigationmenu.
2. ClicktheMore optionsbutton intherowthatcorrespondstothetenantadministratoryouwanttoremove.
3. SelectRemove from role.
4. Whenpromptedtoremovetheuserfromthetenantadministratorrole,clickRemove from role.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
39
6.2 Managing tenant users
TheTenant userspagelistsallofthetenantadministratorsonyourtenant,alloftheuserswhohavebeeninvitedtosubscribetoappsonyourtenant,andalloftheuserswhoarecurrentlysubscribedtoappsonyourtenant.
Youcanusethispagetomonitoruseractivitiesonyourtenant,forexample,thestatusofeachuser’ssubscriptionandthedateandtimeeachuserlastsignedintoAdminCenter.Youcanalsoviewdetailedinformationabouteachuser,forexample,thesubscriptionsandapprolesassignedtoeachuser.
IfyourtenanthasanAuth partitionspage,youcanalsodothefollowingtomanageuseraccounts:
•Disableuseraccountstopreventusersfromsigningintoyourtenantandallofthe appsonyourtenant.Formoreinformation,seeDisabling and enabling user accounts.
•Unlockuseraccountsifusersarelockedoutoftheiraccountsaftermultipleinvalid passwordattempts.Formoreinformation,seeUnlocking user accounts.
•Resettwo-factorauthenticationsettingsforusers.Formoreinformation,see Resetting user two-factor authentication settings.
•Moveuserstoadifferentpartition.Formoreinformation,seeMoving users to a different partition.
Tip
IfyourtenanthasanAuthentication schemespage,aTenantcolumnappearsontheTenant adminsandTenant userspages.Thiscolumnindicateswhethereachuserisinternalorexternalonthecurrenttenant.Formoreinformation,see Understanding the Tenant column on the Tenant admins and Tenant users pages.
Formoreinformationaboutapproles,see“Assigning app roles to user and groups”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
6.2.1 Viewing user information
1. Atthetenantlevel,clickTenant usersonthenavigationmenu.
2. Toviewinformationaboutauser,clicktheMore optionsbuttonintherowthatcorrespondstotheuseryouwanttoviewinformationfor,andselectDetails.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
40
6.2.2 Disabling and enabling user accounts
Youcandisableuseraccountsifyouneedtopreventusersfromsigningintoyourtenantandalloftheappsonyourtenantforsecurityreasons.YoucandisableanyuseraccountthatissettoActiveontheTenant userspage.
Whenauseraccountisdisabled,adisable icon appearsbesidetheaccountnameontheTenant userspage.Iftheuserassociatedwiththataccountattemptstosignintothetenantoranapponthattenant,anerrormessageappearsonthesign-inpage.
Ifyouwanttoallowuserstosignintothetenantandappsagain,youcanenableuseraccountsyoupreviouslydisabled.Youcanalsoenableuseraccountsthatothertenantadministratorshavedisabled.
Note
ThisfunctionalityisavailableifyourtenanthasanAuth partitionspage.
1. Atthetenantlevel,clickTenant usersonthenavigationmenu.
2. ClicktheMore optionsbuttonintherowthatcorrespondstotheuseraccountyouwanttodisableorenable,andselectDisableorEnable.
3. Whenpromptedtodisableorenabletheuseraccount,clickYes, continue.
6.2.3 Unlocking user accounts
DependingonhowyouconfiguredthepasswordpolicyrulesontheNativepartition,userscanbelockedoutoftheiraccountsaftermakingmultipleinvalidpasswordattempts.
TheAttempts before lockoutrulespecifieshowmanyinvalidpasswordattemptscantakeplacebeforeanaccountislockedandtheLockout duration in minutesrulespecifiesthelengthoftimethatmustelapsebeforealockedaccountisunlockedautomatically.Formoreinformation,seeConfiguring a password policy.
Whenanaccountislocked,alockicon appearsbesidetheaccountnameontheTenantusers page and the account cannot be used until you unlock it manually on the Tenant userspageoritsLockout duration in minutesperiodexpires.
Youcanunlockauseraccountmanuallyif,forexample,auserneedstoaccesshisorheraccountbeforetheLockout duration in minutesperiodexpires.
Note
ThisfunctionalityisavailableifyourtenanthasanAuth partitionspage.
Thisfunctionalityappliesonlytoaccountsonthe Nativepartition.
1. Atthetenantlevel,clickTenant usersonthenavigationmenu.
2. ClicktheMore optionsbutton intherowthatcorrespondstotheuseraccountyouwanttounlock,andselectUnlock.
3. Whenpromptedtounlocktheuseraccount,clickYes, continue.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
41
6.2.4 Resetting user two-factor authentication settings
Ifyouenabledtwo-factorauthenticationontheNativepartition,youcanresettwo-factorauthenticationsettingsforusersiftheyneedtogeneratenewauthenticationcodestosignintoyourtenant.
Forexample,ifauserlosesanauthenticationcodethatheorshepreviouslygenerated,youcanresetthatuser’stwo-factorauthenticationsettings.Theusercanthengenerateanewauthenticationcodethenexttimeheorshesignsintoyourtenant.
Note
ThisfunctionalityisavailableifyourtenanthasanAuthpartitionspage.
Formoreinformationaboutenablingtwo-factorauthenticationontheNativepartition,seeConfiguring two-factor authentication.
1. Atthetenantlevel,clickTenant usersonthenavigationmenu.
2. ClicktheMore optionsbuttonintherowthatcorrespondstotheuserforwhomyouwanttoresettwo-factorauthenticationsettings,andselectReset two factor auth settings.
3. Whenpromptedtounlocktheuseraccount,clickYes, continue.
6.2.5 Moving users to a different partition
IfyourtenanthasanAuth partitionspage,usersareautomaticallyaddedtopartitionswhentheyjoinsubscriptions.Tosignintoyourtenant,eachusermustusetheauthenticationschemeassociatedwiththepartitionthatheorshehasbeenaddedto.Formoreinformation,seeCreating and managing partitions.
Youcanmoveuserstoadifferentpartitionif,forexample,youwantthemtouseadifferentauthenticationschemetosignintoyourtenant.
Example 5.1: Moving users to a different partition
AlloftheusersonyourtenantpreviouslyjoinedsubscriptionsthroughemailinvitationsandhavebeenaddedtotheNativepartition.However,youwanttheseuserstousetheSAMLauthenticationschemetosignintoyourtenant.
Inthisscenario,youcancreateanewpartitionfortheSAMLauthenticationschemeandthenmoveeachusertothenewpartitionontheTenant userspage.TheuserscanthenuseSAMLcredentialstosignintoyourtenant.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
42
Youcanmoveuserstoanytypeofpartition,regardlessofthetypeofpartitiontheycurrentlybelongto.Forexample,youcanmoveusersasfollows:
•FromtheNativepartitiontoaSAML, Hybrid,orSCIM and SAMLpartition.
•FromaSAML, Hybrid, orSCIM and SAMLpartitiontotheNativepartition.
•FromoneSAML, Hybrid,orSCIM and SAMLpartitiontoanother.
IfyoumoveuserstoanewSAML, Hybrid,orSCIM and SAMLpartition,theusersmustusecredentialsfromtheidentityproviderthatisconnectedtothenewpartitiontosignintoyourtenant.Beforemovinguserstothenewpartition,confirmthatanaccounthasbeencreatedforeachuseronthenewidentityprovider.
IfyoumoveusersfromaSAML, Hybrid,orSCIM and SAMLpartitiontotheNative partition,eachuserwillautomaticallyreceiveanemailtocreateanewpasswordontheOT2platform.Userscanthenusetheirexistingemailaddressandnewlycreatedpasswordtosignintothetenant.
Note
IfyoumoveuserstoanewSAML, Hybrid, orSCIM and SAMLpartition,AdminCenterautomaticallyremovestheusersfromallofthetenantandsubscriptiongroupsthattheybelongtoandaddsthemtothenewpartition’sAllUsers_partition_nametenantgroup.
Formoreinformationabouttenantandsubscriptiongroups,seeUnderstanding tenant groupsand“Creating and managing subscription groups”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
Tip
ThePartitioncolumnontheTenant userspageindicateswhichpartitionseachuserbelongsto.
6.2.5.1 To move a user to a different partition:
1. Atthetenantlevel,clickTenant usersonthenavigationmenu.
2. ClicktheMore optionsbutton intherowthatcorrespondstotheuseryouwanttomove,andselectChange partition.
3. IntheChange Partitiondialogbox,selectthenameofthepartitionyouwanttomovetheuserto,andclickContinue.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
43
6.3 Understanding the Tenant column on the Tenant admins and Tenant users pages
IfyourtenanthasanAuthentication schemespage,aTenantcolumnappearsonboththeTenant adminsandTenant userspages.Thiscolumnindicateswhichusersareinternalorexternalonthetenantthatiscurrentlyopen.
Auserisinternalifthedomainofhisorheremailaddressmatchesthedomainofthecurrenttenantandifheorsheisregisteredonlyonthecurrenttenant,thatis,theuserhasacceptedaninvitationtobecomeatenantadministratororsubscribetoanapponthecurrenttenantonlyandhasneveracceptedinvitationsassociatedwithothertenants.
Auserisexternalinthefollowingscenarios:
•Ifthedomainofthatuser’semailaddressdoesnotmatchthedomainofthecurrenttenant.
•Ifthatuserisregisteredontenantsotherthanthecurrenttenant,thatis,theuserhaspreviouslyacceptedaninvitationtobecomeatenantadministratororsubscribetoanappononeormoreothertenants.
•Ifthatuser’sstatusissettoInvitation Pending,thatis,theuserhasnotyetacceptedaninvitationtobecomeatenantadministratororsubscribetoanapponthecurrenttenant.
6.4 Understanding tenant groups
Tenantgroupsenableyoutoassignsubscriptionsandpermissionstogroupsofusers.
Atthetenantlevel,youcancreateanynumberoftenantgroupsmanuallyontheTenant groupspage.Youcanaddthefollowingtypesofusersandgroupstomanuallycreatedtenantgroups:
•Userswhoarecurrentlysubscribedorhavebeeninvitedtosubscribetoappsonyourtenant.
•Anyexistingtenantgroups.
IfyourtenanthasanAuth partitionspage,AdminCenteralsoautomaticallycreatesatenantgroupforeachpartitionyoucreate.OntheTenant groupspage,thenameofeachautomaticallycreatedgrouphastheformAllUsers_partition_name.Alluserswhoareaddedtoapartitionthroughauto-provisioningoruserandgroupsynchronizationareautomaticallyaddedtothepartition’stenantgroup.YoucannoteditautomaticallycreatedtenantgroupsoraddnewuserstothemontheTenant groupspage.
Afteroneormoretenantgroupsarecreatedeithermanuallyorautomaticallyatthetenantlevel,thetenantgroupsareavailabletobeusedatthesubscriptionlevel.Subscriptionadministratorscandooneorbothofthefollowing:
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
•Addthetenantgroupstosubscriptiongroupstoassignsubscriptionstogroups ofusers.Formoreinformation,see“Creating and managing subscription groups”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
•Assignthetenantgroupstooneormoreapproles.Tenantgroupmemberswillthen inheritthepermissionsassociatedwiththeirassignedapproles.Formoreinformation,seeOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
Tip
Formoreinformationaboutapproles,see“Assigning app roles to user and groups”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
6.4.1 Creating a tenant group manually
6.4.1.1 To create a tenant group manually:
1. Atthetenantlevel,clickTenant groupsonthenavigationmenu.
2. ClickCreate group.
3. IntheGroup namebox,typeanameforthetenantgroup.
4. [Optional]Inthe Descriptionbox,typeadescriptionforthetenantgroup.
5. ClickCreate.
6.4.1.2 To add a user or existing tenant group to one or more tenant groups:
1. Atthetenantlevel,clickTenant groupsonthenavigationmenu.
2. Inthetextbox,dooneofthefollowing:
•Typethefirstfewlettersofanemailaddressthatbelongstoauserwhoiscurrentlysubscribedorhasbeeninvitedtosubscribetooneormoreappsonyourtenant.
•Typethefirstfewlettersofanamethatbelongstoanexistingtenantgroup.
3. Selecttheemailaddressornamethatbelongstotheuserortenantgroupyouwanttoadd.
4. IntheSelect grouplist,selectoneormoretenantgroupstowhichyouwanttoaddtheuserorexistingtenantgroupyouselectedinthepreviousstep.
5. ClickAdd to groups.
44Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
45
6.4.1.3 To view the users and tenant groups in each tenant group:
1. Atthetenantlevel,clickTenantgroupsonthenavigationmenu.
2. IntheTenantGroupslist,clickthenameofthetenantgroupyouwanttoview.Thetenantgroup’spagelistsalloftheusersandtenantgroupsthatbelongtothetenantgroupyouselected.
Tip
Formoreinformationaboutapproles,see“Assigning app roles to user and groups” inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
6.4.2 Editing the name and description of a manually created tenant group
Note
Youcannoteditautomaticallycreatedtenantgroups.
6.4.2.1 To edit the name and description of a manually created tenant group:
1. Atthetenantlevel,clickTenant groupsonthenavigationmenu.
2. IntheTenant groupslist,clickthenameofthetenantgroupyouwanttoedit.
3. Onthetenantgroup’spage,clicktheEditbutton .
4. Editthenameanddescriptionofthetenantgroupasneeded.
5. Click Update.
6.4.3 Deleting a manually created tenant group
Note
Beforedeletingatenantgroup,confirmthatnoapprolesareassignedtothatgroup.Ifapprolesareassigned,OpenTextrecommendsthatyouremovetheapprolesfromthegroupfirst.Formoreinformation,see“Assigning app roles to users or groups on the Roles page”inOpenTextOT2AdminCenter–SubscriptionAdministratorHelp.
Youcannotdeleteautomaticallycreatedtenantgroups.
6.4.3.1 To delete a manually created tenant group:
1. Atthetenantlevel,clickTenant groupsonthenavigationmenu.
2. IntheTenant groupslist,placeyourpointeronthenameofthetenantgroupyouwanttodelete,andclicktheDeletebuttoninthecorrespondingrow.
3. Whenpromptedtodeletethegroup,click Delete.
Needmorehelp?VisittheOT2AdminCenterforum
OT2 Admin Tenant Administrator Guide
About OpenTextOpenTextenablesthedigitalworld,creatingabetterwayfororganizationstoworkwithinformation,on-premisesorinthecloud.FormoreinformationaboutOpenText(NASDAQ/TSX:OTEX),visitopentext.com.
Connect with usOpenTextCEOMarkBarrenechea’sblog|Twitter|LinkedIn
46Needmorehelp?VisittheOT2AdminCenterforum
Top Related