Identity Federation with ECX
While the default mechanism for logging into the ECX portal is with a username and password, Equinix offers the option for federated single sign-on (SSO) so users from an identity federated organization can sign into the ECX portal by authenticating using their organization’s Identity Provider (IdP). By federating with ECX, organizations can maintain control of their user’s credentials, allowing them to maintain stronger passwords aligned with their Corporate policies, while offering users the convenience of Single Sign-On (SSO). Equinix supports identity federation with SAML 2.0 IdPs only.
Opting in for Federated SSO
Identity Federation can be activated at the Organization level by the Master Administrator for that Organization at their discretion. Activating identity federation will enable SSO and disable the standard username and password login mechanism for all users of that organization by default. If you would like to retain the capability for your users to login using standard username and password login process in addition to SSO, you will have to indicate as such when providing your SAML details as explained in the process below. To use federation, you will first need to configure your organization’s IdP and the Equinix account to trust each other.
To initiate the process for Identity Federation, you can either send an email to email@example.com, or generate a service ticket from the ECX portal as described below:
- Initiate a service ticket in the ECX portal by clicking on the “Support” option in the Menu ribbon at the top of the screen.
- Create a ticket by clicking on “Report an Issue”.
- Select a location where you have a physical or virtual presence with Equinix and select the “Federated Login Setup” option in the “Category” drop-down menu.
- Enter any suitable descriptive title and issue description in the mandatory text fields and click “Submit Ticket”.
- You will receive a template via email from firstname.lastname@example.org, to fill out your SAML metadata details that will allow your IdP to be registered as the IAM identity provider in ECX. These details should ideally be provided in the form of an XML file and include the signing/encryption certificates, issuer name, creation and expiration dates, and the URL for the exported SAML metadata. If not, SAML metadata and these additional details can be provided individually in the template.
- Once all details are entered, you will need to send the file as a response to the email you received from Equinix.
Note: If you wish to continue to allow your users to use the standard login process using username and password in addition to SSO; you will need to explicitly state that in your email communication to Equinix. The default option will be to restrict user logins to using federated SSO only. When restricted, users attempting to login using the standard ECX username/login link will see an error message as shown below.
- Equinix will subsequently provide you with Equinix’s SAML metadata as an XML file that you will need to import into your IdP software. You will also be provided with a custom URL to share with your users for future logins after identity federation has been enabled.
- You can have users test the provided URL for federated login.
- Once your tests are complete, you will need to notify Equinix via email of the date you would like to cutover to federated SSO for your Organization.