Before configuring IdP settings, you first configure 3rd party IdP authentication by associating an IdP protocol with a domain. The SSO Portal supports using a single IdP configuration on multiple domains. You can use the same IdP configuration to authenticate users from multiple domains, as long as the domains match the federated configuration. To configure multiple-domain authentication, you first add a primary domain and prove mastery of it, and then add other domains and link them to the primary domain and its IdP configuration. For information about adding domains, see Configuring Domains.

Single-domain IdP Authentication

To configure IdP authentication for a single domain, complete the following:

1. Log in to the Infoblox SSO Portal at https://sso.infoblox.com/.
2. On the 3rd Party IDP page, click Select Domain on the right upper navigation bar.
3. From the Select Domain drop-down menu, select a domain on which you want to configure 3rd party IdP.
   

4. Once the domain is selected, you must select the protocol you want to utilize in establishing the connectivity between your IdP and SSO Portal.   

From the Select IDP Protocol menu, select one of the following:

• SAML 2.0 for Okta and ForgeRock

• Azure SAML for Azure AD (Active Directory)

5. The SSO Portal displays the selected domain and protocol, as shown below:

6. . After you have selected a domain and a protocol, you can complete the following 3rd party IdP settings:

• Generating Audience Keys
• Configuring SAML 2.0 Application for OKTA
• Configuring SAML 2.0 Application for Azure AD
• Configuring SAML 2.0 Application for ForgeRock
• Mapping User Groups

Multiple-domain IdP Authentication

Before you configure multiple-domain IdP authentication, consider the following:

• The primary domain configuration, including group mappings, applies to all linked domains. The configuration for linked domains is a read-only copy of the primary domain configuration. To edit the IdP configuration, you must select the primary domain from the Select IDP Protocol drop-down menu. 
• Deactivating or resetting the primary domain will unlink all domains, resulting in the need to re-link them after reactivation.

To configure IdP authentication for multiple domains, complete the following:

1. Log in to the Infoblox SSO Portal at https://sso.infoblox.com/.
2. On the 3rd Party IDP page, click Select Domain on the right upper navigation bar.
3. From the Select Domain drop-down menu, select the domain you want to link to the primary domain.
   

4. From the Select IDP Protocol menu, select Link to <primary domain> <IdP Protocol>, where primary domain is the domain name of the primary domain and IdP protocol is the federated IdP configuration of the primary domain.
   In the following example, you would select Link to Test.com SAML 2.0 from the drop-down menu to link Example.domain.com to Test.com using the SAML 2.0 IdP configuration.
   
   
   

5. In the warning dialog, click Confirm to confirm that you want to link the domain to the primary domain.
6. To the right of the domain name, the Infoblox Portal displays the federation status and the primary domain to which this domain is linked, as follows:
   
   
7. Repeat the above steps if you want to link multiple domains to the primary domain. Note that all linked domains share the same IdP configuration of the primary domain. 

Unlinking a Domain from Multiple-Domain IdP

To unlink a domain from the primary domain, complete the following:

1. Log in to the Infoblox SSO Portal at https://sso.infoblox.com/.
2. On the 3rd Party IDP page, click Select IDP Protocol on the right upper navigation bar.
3. From the Activate drop-down menu, select Unlink from <primary domain>, as shown in the following: