Skip to content

User Management

The Rafay platform traditionally supports Identity Provider (IDP) configurations at the customer organization level, requiring each customer org to configure its own IDP settings.

This feature applies for scenarios where a Cloud Provider wishes to deploy and operate an IdP where they manage user identifies for their customer orgs. In this case, the cloud provider's IdP needs to be made available to all customer orgs managed by the cloud provider.

When the Global IDP feature is enabled for a partner, a single IDP configured in the partner’s default org can be used to authenticate users across all orgs under the partner. This simplifies user authentication and IDP management in multi-tenant environments.

Global IdP

Enabling Global IDP

Rafay enables the Global IDP feature for a partner based on requirements.

UI Support

  • Navigate to Operations ConsolePartners
  • Select the desired partner and click Edit
  • Go to the Login/Auth tab
  • Enable the checkbox Common IDP for all organisation

This ensures that a single Identity Provider is shared across all organizations of the selected partner.

Create IdP

API Support

Global IDP configuration can also be updated programmatically using the Partner API.

PUT /auth/v1/partners/{partner_id}/

Example Request

curl 'https://<ops-console-host>/auth/v1/partners/{partner_id}/' \
  -X 'PUT' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json;charset=UTF-8' \
  -H 'x-rafay-partner: <partner_id>' \
  -d '{
    "id": "7kr9pkl",
    "name": "rauto-ncp-partner-qc-gpupaas.partner.dev.rafay-edge.net",
    "description": "rauto-testing",
    "settings": {
      "copyright": "@rauto-Copyright",
      "gslb_enabled": true,
      "sender_email": "rauto-email@rauto-test.rafay.co",
      "signup_enabled": true,
      "ORGANIZATION_APPROVAL": false,
      "disable_system_domain": true,
      "ACCOUNT_CREATION_STRATEGY": "AUTO",
      "applications": [],
      "applications_view": "grid",
      "group_applications": false,
      "support_portal": {
        "enabled": false,
        "label": "Support Portal",
        "url": ""
      },
      "idp_setting": {
        "common_idp_for_all_orgs": true
      }
    },
    "logo_link": "https://i.pinimg.com/originals/4a/b9/3f/4ab93f48c8f1708a615cc62ffc944962.png",
    "fav_icon_link": "https://i.pinimg.com/originals/4a/b9/3f/4ab93f48c8f1708a615cc62ffc944962.png",
    "notification_email": "rauto-notification@rauto-test.rafay.co",
    "support_team_name": "rauto-support",
    "partner_helpdesk_email": "rauto-email@rauto-test.rafay.co",
    "partner_product_name": "rauto-ncp-partner-qc-gpupaas.partner.dev.rafay-edge.net",
    "domain": "rauto-test.rafay.co",
    "ops_host": "ops-rauto-ncp-partner-qc-gpupaas.partner.dev.rafay-edge.net",
    "is_totp_enabled": false,
    "is_synthetic_partner_enabled": false
  }'

Response

A successful request returns HTTP 200 OK with the updated partner configuration, including the applied Global IDP settings.

Notes:

  • The field idp_setting.common_idp_for_all_orgs enables the Global IDP mode across all organizations.
  • Optional parameters such as logo_link, notification_email, and support_team_name can be included to update branding and contact information.
  • Include only the fields you intend to update; unspecified fields remain unchanged.

Global IDP Workflow

  • A single IDP is configured in the default organization of the partner
  • Users access the partner’s Rafay Console portal
  • The login behavior depends on whether the user exists in the local Rafay user database

Case 1: User Exists in Local Rafay User Database

If the entered email address matches a local user record:

  • The user is shown two options:
    • Login With SSO
    • Login With Password

Create IdP

This provides flexibility to authenticate through either method.

Case 2: User Does Not Exist in Local Rafay User Database

If the user is not found in the local database:

  • Only the Login With SSO option is shown
  • The user is redirected to the IDP configured in the partner’s default organization

Create IdP

IDP Authentication and organization Mapping

  • After clicking Login With SSO, the user is redirected to the IDP provider configured in the default organization
  • The IDP must include the organization identifier in the SAML response
  • Rafay uses this attribute to route the user to the appropriate organization after authentication

Support for Mixed Mode

If a subset of organizations require a custom IDP and others should use the Global IDP:

  • Create individual IDPs in those specific organizations using their domain name(s)
  • Create the Global IDP in the default organization

Login Flow

  • If a user's domain matches a configured organization-level IDP, they are authenticated using that IDP
  • Otherwise, the user is authenticated using the Global IDP
  • If the user also exists in the local database, both login options (SSO and password) are shown

Note: For Global IDP integration, customers using Keycloak must use version 26.2.x or later.