This section provides information about adding Rackspace Federation to your identity provider.

Prerequisites

Ensure that you have done the following items before continuing:

• Fill in data that is outlined in the section Rackspace Federation SAML configuration metadata, as required by your Identity Provider.
• Have administrator access to your Identity Provider.

Common Identity Provider setup instructions

Use the following instructions to add Rackspace Federation through the interface of commonly used identity providers. Select the instructions for your Identity Provider from the following list:

• Configure Okta
• Configure Active Directory Federated Services

Add an Identity Provider

The first step to use Federation is to add an Identity Provider, which is the authentication system that you want to use to authenticate with Rackspace. For example, if you want the employees of your company, Aeronautics-R-Us, to authenticate to Rackspace products and services by using your Aeronautics-R-Us credentials, you need to update your Rackspace account with some information.

Click one of the following links to learn how to add an Identity Provider:

• Cloud customers, add an Identity Provider by using the Rackspace Control Panel.
• Dedicated customers, add an Identity Provider by using the MyRack portal.
• All customers, add an Identity Provider by using the Identity API.

Create and upload the SAML configuration file

Next, you need to upload an XML file that contains the required metadata to complete the setup of your Identity Provider. Most identity systems have a method for generating the metadata file either automatically, or after you’ve completed some basic configuration.

For general and provider-specific guidance about configuring your identity system and retrieving your metadata XML file, see the section Configure Third-Party SAML providers.

Create the Identity Provider

After your XML file is attached, click Create Identity Provider.

Configure the Attribute Mapping Policy

The Attribute Mapping Policy is a YAML-formatted policy for managing the mapping of SAML attributes to Rackspace required roles and permissions.

A default Attribute Mapping Policy is provided when your Identity Provider is created. This policy shows the default attributes that are required for users logging in to Rackspace, as shown in the following example.

Default Attribute Mapping Policy

mapping:
  rules:
    - local:
        user:
          domain: "{D}"
          name: "{D}"
          email: "{D}"
          roles: "{D}"
          expire: "{D}"
  version: "RAX-1"

The default Attribute Mapping Policy must be customized to specific values before your users log in or are able to use Rackspace products and services. For more information on Attribute Mapping, see Configure Attribute Mapping. To see examples for specific third-party providers, see Configure Third-Party SAML providers.

For more examples and a complete guide to the Attribute Mapping Policy language, see the Appendix: Attribute Mapping Policy Reference.

Log in

After your Identity Provider has been created, you can test your setup. Either visit https://login.rackspace.com/login and click the link titled Use your organization’s credentials to log in or create and use a bookmark for https://login.rackspace.com/federate.

During the login process, expect the following steps to occur:

1. Enter your email address and click Next.
2. You are redirected to your third-party SAML provider login page.
3. After submitting your credentials, you are successfully logged in and redirected back to the Rackspace Control Panel.

If you experience problems logging in, see Troubleshooting.