Prerequisites

• Administrator privileges to configure IdP in Cyolo.
• A RADIUS server must be configured. The server used here is the Network Policy and Access Services installed in Windows Server 2022.
• In the RADIUS server configuration, for the client IP, enter the internal IP address of the Cyolo IDAC.

Configuration

1. Log in to the Cyolo admin portal with your admin credentials.
2. Navigate to the Integrations > Identity Providers page.
3. Click the Add button located at the top-right corner of the screen.

Step 1: Identity Provider Type

• Define your basic identity provider information - Enter a unique name.
• Select RADIUSunder Choose your identity provider type.

Step 2: Identity Providers Details

• Radius Server: Enter the internal IP address or name of the RADIUS server.
• Port: Enter the port number of the server. The default RADIUS port is set here, 1812.
• Site: Choose the site for the LDAP server. The default is All sites.
• Password: Enter the shared secret set in the server. The secret entered here must be identical to the one entered in the NPAS server.
• Auto Provisioning: Optionally, enable the toggle button Enable automatic user provisioning (A SCIM token will be generated after you create the new IdP).

Step 3: MFA Parameter

• MFA Provider: Ensure that the MFA Provider is set to Cyolo. This will enforce MFA for added security.
• Available MFA methods
  • Scan QR code: This option enables the use of QR codes for authentication. Users can scan the QR code with an authenticator app on their phone to generate a one-time code.
  • Provide phone number: If this option is selected, users can use their phone number for MFA. They may receive a verification code via SMS or a phone call.
  • Provide email address: This option, when selected, will allow users to use their email address as one of the authentication methods. They might receive a verification code or link via email.
    By default, all three are selected.
• Editing sign-in methods
  • Allow users to change their sign-in methods - If this option is enabled, users will have the ability to change their selected MFA methods. This gives them flexibility to switch between different methods as needed.
    For this article, we will leave it unchecked.

Step 4: Enrollment Method

These settings are used to control how users enroll into the Cyolo user database.

Request from user when they enroll:

• Personal Desktop: When selected, users will be required to register their personal desktop device during enrollment.
• Accept legal documentation: If selected, users will need to accept legal documents or terms and conditions as part of the enrollment process.
  For this article, we will leave these options unchecked.

Choose the method to enroll users:

• Admin rollout: Enrollment is managed and initiated by an administrator.
• Self service enrollment: Users can enroll themselves into the system. This option allows users to self-register, which is often more scalable.
  • Activate users automatically when they complete enrollment: When this is checked, users are activated immediately upon completing the enrollment process.
    For this article, we will select Self service enrollment and enable the Activate users automatically when they complete enrollment option.

Additional Settings:

• Hide from end-user login screen: This option hides the enrollment method from the users' login screen.
• Users can change their personal details: Allows users to update their personal information after enrollment.

Domain based check:

• No domain: Indicates that no domain-based restrictions apply to the enrollment.
• With domain: Enables domain-based restrictions for enrollment.
  • Any domain: Allows enrollment from any domain.
  • Specific domain: Restricts enrollment to users from specific domains.
    For this article, we will select Any domain and check the checkboxes for both the No domain and With domain options.