Configuring Infoblox Local Credentials
- Gary Leicht
Analytics
When an Infoblox account is provisioned for your organization, users that exist in that account are authenticated through the Infoblox credentials store. A user's credentials in the Infoblox credentials store are considered local credentials for that user. However, when you configure and activate the IdP federation for your company's domain, user authentication within that domain is performed using your organization's IdP. Users are no longer authenticated using the Infoblox local credentials.
Whether local credentials exist for any particular user within the federated domain depends on when that user was first created. If the user was created BEFORE the IdP federation was activated, then that user still has local credentials even though the user is not authenticated through the Infoblox credentials store. On the other hand, if the user was created AFTER the IdP federation was activated, then the only credentials that exist for that user are within the organization's IdP.
There are currently three Infoblox sites that are relevant to user creation:
- Infoblox Portal
- Single-Sign-On Portal https://sso.infoblox.com
- Support Community Portal https://support.infoblox.com
If a user is first created through any of these portals before you activate any IdP federation, the user's local credentials exist in the Infoblox credentials store.
The following table illustrates the possible states a user credential can be in relative to local and IdP credentials:
| Credential State | User Creation |
|---|---|
| Local credentials | Through any of the three Infoblox sites (Infoblox Portal, Single-Sign-On Portal, or Support Community Portal), BEFORE the IdP federation was activated |
| Local and IdP credentials | Through any of the three Infoblox sites (Infoblox Portal, Single-Sign-On Portal, or Support Community Portal), AFTER the IdP federation was activated or Through the IdP federation, AFTER the IdP federation was activated |
| IdP credentials | Through the IdP federation, AFTER the IdP federation was activated |
Enabling and Disabling Local Credentials
You must be an administrator for the Single-Sign-On Portal to enable or disable local credentials for any user that falls within a domain for which the account masters. Note that configurations in the Single-Sign-On Portal affect users within a mastered domain at all three Infoblox sites: the Infoblox Portal, Single-Sign-On Portal, and Support Community Portal.
Note
If your organization has an active IdP federation and you have users that were configured in NIOS, then if they need to setup NIOS features that require username/password credentials, you must enable local credentials for these users through the Single-Sign-On Portal. See “Using Local Credentials for NIOS” below for more information.
To enable or disable local credentials, complete the following;
- Log in to the Infoblox SSO Portal at https://sso.infoblox.com/.
- Click User Access -> Domain Users tab.
- Select a domain user in the table, and then click Enable Local Credentials of Disable Local Credentials from the
.When you enable local credentials, the user will receive an activation email that allows a local password to be configured. When you disable local credentials for a user, the user's local credentials are removed from the Infoblox credentials store.
Note
As long as the IdP federation is active, the user will not be authenticated with Infoblox interactively using local credentials. They will be authenticated within the federated domain using their IdP when logging in to one of the Infoblox sites: the Infoblox Portal, Single-Sign-On Portal, or Support Community Portal.
Using Local Credentials for NIOS
Several NIOS features require username/password credentials during setup. When there is an active IdP federation configured for the domain that matches the email address of the Infoblox Portal user being configured in NIOS, IdP authentication cannot be used for the user because the username/password is offered programmatically to Infoblox Platform services. Therefore, if your organization has an active IdP federation, you must enable local credentials for users that are being configured in NIOS.
When IdP authentication has been enabled, usage of local credentials is only allowed for very specific usage cases (e.g. NIOS integrations with Infoblox Cloud services). Local credentials should be setup via your SSO Admin or via Infoblox support, otherwise Infoblox’s default authentication mechanism for authentication to Infoblox Cloud services is to utilize your Identity Provider.
Important
The credentials used to log in to the NIOS Grid are not the same credentials that are stored in the Infoblox credentials store for Infoblox Platform services.
For example, the Infoblox Threat Defense Cloud Client feature in NIOS can use local credentials to authenticate the feature in NIOS with the Infoblox Portal.
Recovering Password for NIOS Users
NIOS users who are within a federated domain are prevented from recovering passwords through the regular password recovery mechanism provided on the main sign-in page of the Infoblox Portal, Single-Sign-On Portal, and Support Community Portal.
To perform password recovery of local credentials for a federated Infoblox Portal user being configured in NIOS, go to: https://auth.infoblox.com/signin/forgot-password, enter the user email address or username, and then click Reset via Email, as shown below.
