Register for Federated SSO

The master administrator for your organization must register for Federated Single Sign-On (SSO). Use the procedures below to provide the necessary information.

Important: New requests for registration are currently on hold during the Equinix Self Service Federation service upgrade. This page will be updated when the upgrade is complete. For questions, contact your Equinix account representative.

Register your organization for SSO using the self-service application. The registration wizard guides you through the process.

  1. From the Administration menu in the Customer Portal, click Account & Security Management.

  2. Click Federated Single Sign-On.

  3. On the Federation Registration page, read the instructions for the set-up process.

    Note: This page contains a link to download Equinix SAML metadata.

    Important: Carefully read the instructions before you click Next.

  4. On the Metadata Details page, provide the metadata in one of two ways:

    This method automatically enters the required information.

    Note: With this method, the Entity ID, SSO URL, and Identity Location fields are disabled and you cannot edit them. To change these fields, click Discard, then import an updated SAML file (or enter the information manually, as described below).

    Important: Equinix requires a user email address in the SAML response. All other attributes are ignored.

    or

    • Customer Prefix – Enter a unique prefix for your registration. This prefix is used to create a unique federation URL for your organization.

      Example: The prefix xyz means your federation URL is https://xyzcustomerportal.equinix.com.

    • Entity ID – Enter the entity ID for your organization.

    • Single-Sign-On URL – Enter the IdP URL where Equinix will Post the SAML request.

    • Identity Location – This is the attribute that holds the unique attribute identifying a user, such as email address. Select one:

      • Default Name Identifier – Choose this option if the default user email attribute will be sent in the Default Name ID as shown in the response.

      • Custom Name Identifier – Choose this option if the default user email attribute will be sent in any other attribute than the Default Name ID as shown in the response.

  5. Click Next.

  6. On the Technical Contact page, indicate the Point of Contact between your organization and Equinix. Select either External or Internal:

    • Internal (default) – Select a user who is already on-boarded with Equinix from the list of users. (You can Search if the list is long.)

    • External – Add a user as the point of contact who is not already on-boarded with Equinix; enter the first name, last name, email address, and phone number.

      Note: Typically, the Identity Administrator from your organization is not on-boarded with Equinix.

  7. Click Next.

  8. On the Certificate Upload page, if your certificate is not part of the SAML data, then upload it here:

    Equinix uses this certificate to validate the authenticity of the SAML requests that originate from your organization.

    Important: Equinix verifies the certificate end date; expired certificates are not accepted.

    Note: If your certificate is already provided as part of your SAML metadata (as shown in the example below), you don't need to upload it again.

  9. Click Submit.

    The Federation Details page shows the Provisioned Status as Submitted.

    • To clear any updates, click Discard.

    • To accept any updates, click Submit Changes.

    Important: Once the status is Approved, you cannot update the form.

    Note:

    • The Equinix Administrator reviews your submitted information and contacts you if further information is required.

    • You can see the comments entered by the Equinix Administrator on your request page.

    • During this process, you will receive emails to update you on the progress.

    Provisioning statuses that you might see during the process:

    • SUBMITTED – The application registration request has been submitted and is being reviewed by the Equinix Administrator.
    • AWAITING RESPONSE – The Equinix Administrator needs additional information to process the request.
    • IN-PROGRESS – Provisioning is in progress.
    • PROVISIONED – The application is provisioned in all systems.
    • COMPLETED – You have tested the application and the request is closed.

    You will receive an email when the Federated SSO configuration is complete. See Verify Generated URLs for next steps.

When the Federated SSO configuration is ready and your request is in PROVISIONED status, you will receive an email. Revisit the Self Service Federation / Federation Details page to validate the generated URLs:

  1. Go to your federation portal (using the link in the email or through the Customer Portal).

  2. Under Provisioned Portal, verify that you can sign in with the federated URLs created for your organization.

    Note: If you aren't subscribed to a particular service (such as Fabric or IBX SmartView), you won't be able to sign in using that URL.

    • If you can sign in to all of your subscribed portals, select the box for I have verified that the federation single sign-on is working for all applications. This changes the request status to COMPLETED.

    • If you can't sign in to one or more of your subscribed portals, add a comment to the federation request, or contact your Equinix account representative.

After your organization is successfully on-boarded, you can use the Self Service Federation application request page if you need to upload a new certificate or to change point-of-contact information:

  • To upload a new certificate:

    From the List of Certificates tab, click Upload Certificate.

  • To update the point of contact:

    From the Technical Contact tab, click Change Point of Contact.

We support any IdP vendor that supports SAML2.

See Register for Self Service Federation. After you select the Federated Single Sign-On card, the Federation Registration page appears. This page contains a link to download the Equinix SAML metadata.

See Verify Generated URLs.

Yes. If your IdP has MFA enabled, users are prompted for MFA authentication when they sign in to the Customer Portal. See Multi-Factor Authentication (MFA).

Note: Managing MFA is the responsibility of the client or IdP.

Contact your Equinix representative with this request, and they will forward it to the technical team. The technical team will disable username and password access for all web portals.

Information to include in your request:

  • Would you like to stop username and password access on the mobile application?

    Important: The mobile application does not support federated sign in, so this will disable all access to the mobile application.

  • Is there a specific date to make the change?

Contact your Equinix account representative to update your IdP information. Provide your updated metadata and, if it is not in the metadata, provide the updated certificate. Updated metadata is required when changing IdPs entirely or when updating your metadata for the same IdP.

When a federation request is submitted, it applies only to the organization that the master administrator used to sign in. To add additional organizations for federation, contact your Equinix representative.

This error usually occurs if you POST the SAML response to the portal, instead of using a GET request.

There are two main settings to verify:

  • Make sure the ACS URL endpoint is correct.

  • Make sure the SAML response you send is a GET request (not POST or any other request).

Also confirm the following in your IdP:

  • Name ID Format – Unspecified

  • Application username – Email

  • The username email address should match the primary email address in your Customer Portal user profile.

The Sign Off error has two possible fixes:

  • In your IdP, make sure the URL for the ACS (Assertion Consumer Service) is correct or blank.

  • Make sure the SAML response is signed properly on the IdP side.

Make sure the Audience URI value is correct. Contact your Equinix account representative for the correct value.

Make sure the user's account exists in the Customer Portal:

  • If the account does not exist, you can create it.

  • If the account does exist, contact the Global Service Desk (GSD) for additional troubleshooting.

Note: We do not support just-in-time provisioning, so we do not create Equinix accounts on the fly.

By default, we do not enable IdP-initiated SSO. If you want to allow IdP-initiated SSO for your company, contact the Global Service Desk (GSD).

As a temporary workaround, you can manually create a bookmark for an SP-initiated URL in your IdP (for example: https://acmecustomerportal.equinix.com/).