Skip to main content
Version: Omada Identity Cloud

Authentication

Authentication allows customers to configure federated authentication for Cloud Management Portal users by verifying organizational domains and associating them with an Identity Provider.

Authentication overview

The Authentication page consists of two sections:

Authentication page overview

  • Domains – used to register and verify domains that will be used for federated authentication. A domain is matched against the domain portion of a user's email address (for example, contoso.com in user@contoso.com) to determine whether the user should authenticate through an Identity Provider.
  • Identity Providers – used to configure Identity Provider connections and associate them with verified domains.
Prerequisites

Before configuring federated authentication:

  • You must have access to the domain's DNS configuration.
  • You must have permissions to manage the Microsoft Entra ID tenant.
  • The domain must be owned by your organization.
Existing users

Before enabling federated authentication for existing users, verify that the email address used for each Cloud Management Portal user matches the value returned by Microsoft Entra ID in the preferred_username claim (typically the User Principal Name (UPN)).

If these values do not match, the user will not be able to activate their federated account. If necessary, update the user accounts before enabling federated authentication.

If you manage Cloud Management Portal users through Omada Identity, see Federated authentication migration for guidance on updating the account name format before enabling federated authentication.

Domains

The Domains section displays all domains configured for federated authentication.

Domains overview
ColumnDescription
NameThe registered domain name.
Verification tokenThe token that must be added as a TXT record in the domain's DNS configuration.
StatusIndicates whether the domain ownership has been verified. The domain can have two statuses:
  • Verified - the domain ownership has been successfully verified and can be assigned to an Identity Provider.
  • Unverified - the domain has been added but ownership has not yet been verified.
ActionsAvailable actions for the selected domain:
  • Verify - validates the domain ownership after the TXT record has been added to DNS.
  • Delete - removes the domain from the configuration. This action is only available for domains with an Unverified status.
note

Domain verification may take some time depending on DNS propagation.

Add and verify a domain

Add a domain

To add a domain:

  1. Navigate to Authentication tab in the Users section.

  2. Click Add in the Domains section.

    Add domain dialog
  3. In the Add domain dialog, enter the domain name.

  4. Save the configuration.

info

After adding a domain, a verification token is generated. This token must be added to the domain's DNS configuration as a TXT record.

Verify a domain

To verify a domain:

  1. Copy the verification token.

  2. Add the token as a TXT record in your domain's DNS.

  3. Wait for DNS propagation.

  4. Return to the Cloud Management Portal.

  5. In the Actions tab, click Verify.

    Domain verification token

When verification is successful, the domain status changes to Verified.

Domain verification troubleshooting

If domain verification fails:

  • Verify that the TXT record contains the exact verification token generated by the Cloud Management Portal.

  • Ensure DNS changes have propagated. Depending on DNS configuration and TTL settings, propagation can take up to 48 hours.

  • Verify the TXT record using:

    nslookup -type=TXT <domain>

Identity Providers

The Identity Providers section displays all configured Identity Providers.

Identity Providers section overview

ColumnDescription
ProviderThe configured Identity Provider type.
ConfigurationInformation identifying the configured Identity Provider.
ActionsAvailable actions for the selected Identity Provider:
  • Edit - updates the Identity Provider configuration or assigned domains.
  • Delete - removes the Identity Provider configuration.
note

Only domains with a Verified status can be assigned to an Identity Provider.

info

When a verified domain is assigned to an Identity Provider, all users belonging to that domain become federated users and must authenticate through the associated Identity Provider.

warning

You cannot delete an Identity Provider while domains are assigned to it.

Domains also cannot be unassigned from an Identity Provider through the Cloud Management Portal.

This restriction exists because assigning a domain to an Identity Provider migrates users from local authentication to federated authentication. There is no self-service reverse migration process.

If you need to remove a domain assignment or undo federation, contact Omada Support.

Add an Identity Provider

After the domain has been verified, configure a Microsoft Entra ID Identity Provider.

  1. Navigate to Authentication tab in the Users section.

  2. Select Add in the Identity Providers section.

    Add identity provider dialog
  3. In the Add Identity Provider dialog, enter the required configuration:

    • In the Provider field, select the type of Identity Provider to configure.

      • Currently, Microsoft Entra ID is supported.
    • In the Issuer URL field, enter the OpenID Connect issuer URL for your Microsoft Entra ID tenant, for example, https://login.microsoftonline.com/<tenant-id>/v2.0.

      • This URL is used to validate authentication tokens issued by the Identity Provider.
    • In the Assigned Domains field, select one or more domains that should use this Identity Provider for authentication.

      • This field lists all verified domains that are available for assignment to this Identity Provider.

      • Before the assignment is completed, an informational confirmation message is displayed and must be acknowledged:

        Domain assignment confirmation dialog
  4. Save the configuration.

    tip

    Updating the Issuer URL affects only future user activations.

    The Issuer URL is validated during account activation to verify that the user authenticates through the expected Identity Provider.

    After activation, users are identified using the unique identifier provided by the Identity Provider and subsequent sign-ins do not validate the Issuer URL.

    Changing the Issuer URL does not affect users who have already activated their federated accounts. Existing users can continue signing in normally after an Issuer URL update.

    info

    When a domain is assigned to an Identity Provider:

    • All users belonging to that domain become federated users.
    • Users can no longer sign in using local credentials.
    • Authentication is performed through the assigned Identity Provider.

Updating Identity Provider configuration

Editing an Identity Provider allows you to update its configuration and manage the domains assigned to it.

  1. Navigate to Authentication tab in the Users section.

  2. In the Identity Providers section, select the provider you want to edit the configuration for.

  3. Click the pencil icon.

  4. Update the Identity Provider configuration as required.

    Edit domain configuration
  5. Save the changes.

warning

Domains cannot be unassigned from an Identity Provider through the portal.

To unassign or remove a domain, contact Omada Support.

Federated login

Federated login allows users to access the Cloud Management Portal using their organization's Microsoft Entra ID account. Instead of authenticating with locally managed credentials, users are redirected to the configured Identity Provider, which handles the authentication process.

After a domain is assigned to an Identity Provider, users with email addresses from that domain must authenticate through the configured Identity Provider and can no longer sign in using local credentials.

Existing users

When an existing user is migrated to federated authentication:

  • Existing roles and permissions are retained.

  • The user receives an activation email.

    Activation email for existing user
  • The account must be activated before federated sign-in can be used.

info

The email address used for the invitation must exactly match the value returned by the Identity Provider in the preferred_username claim.

For Microsoft Entra ID, this is typically the User Principal Name (UPN).

If the invitation email and the preferred_username value do not match, account activation will fail, for example:

Invitation emailpreferred_usernameResult
user@company.comuser@company.comActivation succeeds
user@company.comuser@company.netActivation fails

New users

When a user does not already exist in the system:

  • A new federated account is created.

  • The user receives an activation email.

    Activation email for new user
  • The account must be activated before access is granted.

info

The email address used when creating the user must exactly match the value returned by the Identity Provider in the preferred_username claim.

If the values do not match, activation cannot be completed.

Activation process

To activate the federated login:

  1. Open the activation link received by email.

  2. Review the activation page.

    User activation page
  3. Click Continue.

  4. The login page is displayed.

    Federated login page
  5. Select Sign in with Microsoft Entra ID.

  6. Authenticate using your corporate credentials.

  7. Grant the requested permissions if prompted.

    Microsoft Entra ID consent screen
  8. After accepting the permissions, you are redirected to the Cloud Management Portal.

Activation validation

During activation, the Cloud Management Portal performs the following validations:

ValidationDescription
Issuer (iss)Must match the configured Issuer URL.
Preferred usernameMust match the email address used for the portal invitation.
User identifier (sub or oid)Used to establish the permanent association between the portal account and the Identity Provider account.

The Issuer URL validation is performed as a security measure to ensure that the user activates the account through the intended Identity Provider and to prevent unauthorized association of portal accounts with identities from another provider.

After activation, users are identified by their unique identifier (sub or oid). The preferred_username and Issuer URL are not validated during subsequent sign-ins.

Activation troubleshooting

If activation fails:

  • Verify that the invitation email matches the value returned in the Identity Provider's preferred_username claim.
  • Verify that the Identity Provider's iss claim matches the configured Issuer URL.
  • Verify that you are signing in with the intended Identity Provider account.

Omada Identity-managed users

The procedures described on this page apply to customers who manage Cloud Management Portal users directly in the portal.

If you manage Cloud Management Portal users through Omada Identity, additional configuration and migration steps may be required before enabling federated authentication.

See Federated authentication migration for instructions.

Known limitations

Multiple portal accounts for the same user

A single person may have multiple Cloud Management Portal accounts associated with different email domains belonging to the same organization, for example:

If multiple domains are assigned to the same Identity Provider and the Identity Provider returns only one value in the preferred_username claim, only the portal account whose email address matches the returned value can be activated.

The other portal accounts cannot be activated because the Identity Provider will never return a matching preferred_username value for them, preventing activation from being completed.

To avoid this situation, consolidate duplicate user accounts before enabling federated authentication whenever possible.