Runbooks index » IdP scenarios
IdP Scenario Runbooks
Four deep-dive runbooks, one per identity-integration scenario. Each covers how the scenario works (architecture + sequence diagrams) and how to configure it manually (step-by-step commands, prerequisites, verification, pitfalls).
For the canonical step-by-step that covers all four scenarios in one ordered procedure, see ../idP_Configuration.html. These four files are deeper than that doc — one focused topic each.
Scenarios
Nubus Directory Importer
One-way scheduled sync from AD/LDAP into UMS. Solves "stop typing users by hand" without requiring an OIDC/SAML IdP. The path BMDS-shaped customers usually start with. The Importer + something for authentication is the most common production combo.
OIDC Federation
Federate to a corporate IdP that speaks OpenID Connect (Entra ID, Okta, Auth0, Google Workspace, customer Keycloak). The recommended federation path and the only one upstream openDesk documents. JWKS auto-rotates, config is simpler.
SAML 2.0 Federation
Federate to a SAML-only corporate IdP — typically ADFS, or an academic federation like DFN-AAI. Works through Keycloak but is off the upstream-documented happy path. Watch signing-cert rotation and attribute mappers.
Bridge Keycloak (in front of AD)
Customer has AD/LDAP but no OIDC/SAML IdP and won't host ADFS or Entra. Stand up a small Keycloak (or Authentik) on the customer's side that turns their AD into an OIDC IdP. Then federate to it via the OIDC scenario.
Which scenario applies?
| Customer situation | Run |
|---|---|
| AD/LDAP only, no SSO frontend, won't host anything new | Importer only |
| AD/LDAP only, willing to host a small SSO frontend | Bridge → OIDC, optionally + Importer |
| Entra ID, Okta, Auth0, customer Keycloak | OIDC, ideally + Importer |
| ADFS or other SAML-only IdP | SAML, ideally + Importer |
| Google Workspace | OIDC + Importer (Google doesn't support back-channel logout) |
| Hybrid (AD + Entra) | Pick the upstream identity layer; usually OIDC to Entra + Importer against Entra (via Azure AD DS) or AD |
Sister docs
- idP_Configuration.html — canonical step-by-step covering all four scenarios in one ordered procedure
- All_idP.html — conceptual master with the architectural overview
- QA.html — Q&A walkthrough of the mental model
- idpKnowledge.html — customer-call talking-points brief
- All_idP_manual.html — older manual runbook (largely superseded by idP_Configuration.html and these four)