Register for Federated SSO

The master administrator for your organization must register for federated Single Sign-On (SSO). Use the procedures below to provide the necessary information and to connect your company Identity Provider (IdP) to Equinix.

Important: If you’re migrating to the new Equinix authentication system for Federated SSO login, refer to Federated SSO Migration instead.

To register your organization for federated SSO:

  1. From the Administration menu in the Customer Portal, click Account & Security Management.

  2. Click Federated Single Sign-On.

  3. On the Federation Registration page, read the instructions for the set-up process and click Next.

  4. On the Metadata Details page:

    1. Enter your organization's email address domain. If you have multiple domains, separated them with a comma.

      Example: acme.com, eu.acme.com

    2. Provide the metadata in one of two ways:

      This method automatically enters the required information.

      Note: With this method, the Entity ID, SSO URL, and Identity Location fields are disabled and you cannot edit them. To change these fields, click Discard, then import an updated SAML file (or enter the information manually, as described below).

      Important: Equinix requires a user email address in the SAML response. All other attributes are ignored.

      or

      • Entity ID – Enter the entity ID for your organization. Ask your company's identity administrator for the value for this field.

      • Single-Sign-On URL – Enter the IdP URL where Equinix will post the SAML request. Ask your company's identity administrator for the value for this field.

  5. Click Next.

  6. On the Technical Contact page, indicate the Point of Contact between your organization and Equinix. Select either Internal or External:

    • Internal (default) – Select an existing Equinix-registered user within your organization.

    • External – Add a user as the point of contact who is not a registered user; enter the first name, last name, email address, and phone number.

      Note: Typically, the Identity Administrator from your organization may be interested in setting up this SAML configuration with Equinix.

  7. Click Next.

  8. On the Certificate Upload page, if your certificate is not part of the SAML data, then upload it here:

    Note: Equinix uses this certificate to validate the authenticity of the SAML requests that originate from your organization.

    Important: Equinix verifies the certificate end date; expired certificates are not accepted.

  9. Click Submit.

    The Federation Details page shows the Provisioned Status as Submitted.

    Tip: You can update your request for as long as the Equinix administrator doesn't process and approve it.

    Note:

    • The Equinix Administrator reviews your submitted information and contacts you if further information is required.

    • You can see the comments entered by the Equinix Administrator on your request page.

    • During this process, you will receive emails to update you on the progress.

    Provisioning statuses that you might see during the process:

    • SUBMITTED – The application registration request has been submitted and is being reviewed by the Equinix Administrator.
    • AWAITING RESPONSE – The Equinix Administrator needs additional information to process the request.
    • IN-PROGRESS – Provisioning is in progress.
    • PROVISIONED – The application is provisioned in all systems.
    • COMPLETED – You have tested the application and the request is closed.

  10. Click Equinix SAML Metadata to download Equinix metadata and follow your identity provider's instructions to set up federated SSO integration.

  11. Once you receive an email that your federated SSO request has been approved, verify that you can log in to Equinix portal.

When the federated SSO configuration is ready and your request is in PROVISIONED status, validate your federated SSO setup:

  1. Go to portal.equinix.com.

  2. Click Sign In with SSO, then provide your email address and click Continue.

  3. Enter your login credentials to authenticate and access the Equinix portal.

    Important: If you're unable to log in, add a comment to your federation request to engage with Equinix administrator and troubleshoot your login issues.

  4. Go to your federation portal (using the link in the email or through the Customer Portal).

  5. Under Portal URLs, click I have verified that the federation single sign-on is working for all applications.

  6. Click Confirm.

    Note: An email notification is sent with a confirmation that the processing of your federated SSO request has been completed.

After your organization is successfully on-boarded, you can use the Self Service Federation application request page if you need to upload a new certificate or to change point-of-contact information:

  • To upload a new certificate:

    From the List of Certificates tab, click Upload Certificate.

  • To update the point of contact:

    From the Technical Contact tab, click Change Point of Contact.

Before Registration

Once the federation setup is complete, any user from the customer organization can visit the Equinix federation URL or log in via federation from the Equinix unified login page. The user then must enter their organization's email address. Based on the email domain provided, the user is redirected to the organization's identity provider page for authentication. Once authenticated, the user can access the appropriate Equinix portals.

The master administrator should work with your organization's internal security team to determine the Single Sign-On (SSO) configuration. The master administrator then must submit the federation request using the Self-Service Federation application. Enter the required federation information on the subsequent screens to complete the setup request.

Currently, Equinix supports SAML 2.0 for federation. Equinix can federate with any Identity Provider (IdP) that supports the SAML 2.0 protocol. In the future, Equinix may support other protocols like OIDC, as needed.

We support any IdP vendor that supports SAML2.

The SAML subject must contain the email address attribute. Any user attribute other than email address is not required and will be ignored. Ensure that the primary email address in the ECP profile matches the organization's email address for every user that wants to log in via federation.

Equinix federation only supports POST binding.

Click the Download button on the top-right corner of the federation portal.

You need to provide an email domain for your organization and the SAML metadata. A digital certificate is required if the metadata file does not contain a digital certificate. If you do not want to upload the metadata file or if there is any issue with the metadata file update, manually provide the Entity ID and the SSO URL of the organization, and then upload a digital certificate on the next screen.

During Registration

Enter the email domain for your organization (for example, if the email address for your organization is user@acme.com, enter acme.com). If you need to enter multiple domains, separate them with a comma (for example, if email addresses are user@acme.com and user@acme.co.eu, enter acme.com, acme.co.eu in the domain field).

An Entity ID is a globally unique name for a SAML entity, i.e., your Identity Provider (IdP) or Service Provider (SP). It is how other services identify your entity. Like any other unique identifiers that you share to interoperate with others, making sure your identifier is clear, unique, and permanent is critical for the successful continued operation of your service(s). Choose your entity ID carefully and deliberately.

Enter your single sign-on URL, where Equinix will redirect users from your organization to log in.

See Register for Self Service Federation. After you select the Federated Single Sign-On card, the Federation Registration page appears. This page contains a link to download the Equinix SAML metadata.

See Verify Federated SSO Configuration.

Yes. If your IdP has MFA enabled, users are prompted for MFA authentication when they sign in to the Customer Portal. See Multi-Factor Authentication (MFA).

Note: Managing MFA is the responsibility of the client or IdP.

After Registration

Go to  https://portal.equinix.com, enter your email address, and click Next. You will be redirected to your organization's login page. Log in with your organization credentials. Once authenticated, users can access the appropriate Equinix portals.

Contact your Equinix representative. They will forward your questions to the federation support team.

Add a comment to your federated SSO request to engage with Equinix administrator and issue a request to disable the option to sign in using username and password.

Information to include in your request:

  • Would you like to stop username and password access on the mobile application?

    Important: The mobile application does not support federated sign in, so this will disable all access to the mobile application.

  • Is there a specific date to make the change?

Add a comment to your federated SSO request to engage with Equinix administrator. Provide your updated metadata and, if it is not in the metadata, provide the updated certificate. Updated metadata is required when changing IdPs entirely or when updating your metadata for the same IdP.

When a federation request is submitted, it applies only to the organization that the master administrator used to sign in. To add additional organizations for federation, add a comment to your federated SSO request to engage with Equinix administrator and get the support to enable federated SSO for multiple organizations.

This error usually occurs if you POST the SAML response to the portal, instead of using a GET request.

There are two main settings to verify:

  • Make sure the ACS URL endpoint is correct.

  • Make sure the SAML response you send is a GET request (not POST or any other request).

Also confirm the following in your IdP:

  • Name ID Format – Unspecified

  • Application username – Email

  • The username email address should match the primary email address in your Customer Portal user profile.

The Sign Off error has two possible fixes:

  • In your IdP, make sure the URL for the ACS (Assertion Consumer Service) is correct or blank.

  • Make sure the SAML response is signed properly on the IdP side.

Make sure the Audience URI value is correct. Add a comment to your federated SSO request to engage with Equinix administrator and ask for the correct value. In case you're unable to access your federated SSO settings, contact your Equinix representative and your request will be forwarded to the Equinix administrator.

Make sure the user's account exists in the Customer Portal:

  • If the account does not exist, you can create it.

  • If the account does exist, contact the Global Service Desk (GSD) for additional troubleshooting.

Note: We do not support just-in-time provisioning, so we do not create Equinix accounts on the fly.

By default, the IdP-initiated SSO is disabled. If you want to allow IdP-initiated SSO for your company, add a comment to your federated SSO request.

As a temporary workaround, you can manually create a bookmark for an SP-initiated URL in your IdP (for example: https://portal.equinix.com/).