Identity Federation with ECX
While the default mechanism for logging into the ECX portal is with a username and password, Equinix offers the option for federated single sign-on (SSO) so users from an identity federated organization can sign into the ECX portal by authenticating using their organization’s Identity Provider (IdP). By federating with ECX, organizations can maintain control of their user’s credentials, allowing them to maintain stronger passwords aligned with their Corporate policies, while offering users the convenience of Single Sign-On (SSO). Equinix supports identity federation with SAML 2.0 IdPs only.
Opting in for Federated SSO
Identity Federation can be activated at the Organization level by the Master Administrator for that Organization at their discretion. Activating identity federation will enable SSO and disable the standard username and password login mechanism for all users of that organization by default. If you would like to retain the capability for your users to login using standard username and password login process in addition to SSO, you will have to indicate as such when providing your SAML details as explained in the process below. To use federation, you will first need to configure your organization’s IdP and the Equinix account to trust each other.
To initiate the process for Identity Federation, you can either send an email to email@example.com, or generate a service ticket from the ECX portal as described below:
- Initiate a service ticket in the ECX portal by clicking on the “Support” option in the Menu ribbon at the top of the screen.
- Create a ticket by clicking on “Report an Issue”.
- Select a location where you have a physical or virtual presence with Equinix and select the “Federated Login Setup” option in the “Category” drop-down menu.
- Enter any suitable descriptive title and issue description in the mandatory text fields and click “Submit Ticket”.
- You will receive a template via email from firstname.lastname@example.org, to fill out your SAML metadata details that will allow your IdP to be registered as the IAM identity provider in ECX. These details should ideally be provided in the form of an XML file and include the signing/encryption certificates, issuer name, creation and expiration dates, and the URL for the exported SAML metadata. If not, SAML metadata and these additional details can be provided individually in the template.
- Once all details are entered, you will need to send the file as a response to the email you received from Equinix.
Note: If you wish to continue to allow your users to use the standard login process using username and password in addition to SSO; you will need to explicitly state that in your email communication to Equinix. The default option will be to restrict user logins to using federated SSO only. When restricted, users attempting to login using the standard ECX username/login link will see an error message as shown below.
- Equinix will subsequently provide you with Equinix’s SAML metadata as an XML file that you will need to import into your IdP software. You will also be provided with a custom URL to share with your users for future logins after identity federation has been enabled.
- You can have users test the provided URL for federated login.
- Once your tests are complete, you will need to notify Equinix via email of the date you would like to cutover to federated SSO for your Organization.
Multi-Factor Authentication (MFA)
While the default mechanism for logging into the ECX portal is with a username and password, Equinix offers the option to add an extra layer of security with Multi-Factor Authentication (MFA). By creating an additional verification step that requires the use of the portal password as well as a one-time password (OTP) that is sent to an alternate registered trusted device, compromising user credentials presents a significant hurdle for potential attackers.
Opting in for MFA
MFA can be activated at the Organization level by the Master Administrator for that Organization at his/her discretion. If the Organization opts-in, all users within that Organization will be required to register a secondary authentication method using an alternate mechanism (cell phone, email, etc) to receive the OTP for all subsequent logins to the ECX portal. Opting in for MFA for ECX will also automatically enable MFA on multiple Equinix portals, including the Equinix Customer Portal (ECP) and Internet Exchange Portal (IXP).
- To opt-in for MFA, the Company Master Administrator needs to log into the Equinix Customer Portal (ECP) and click on the “Administration” option in the menu ribbon at the top of the screen.
- Select the “Account Management” option from the “Administration” drop-down menu
- Select the “Multifactor Authentication” tile under the Security Management section (Figure 1)
- Click on “Send Request” in the ensuing Multi Factor Authentication pop-up.
Once MFA has been enabled for your Organization, an email notification will be sent to the Master Admin to indicate that they should notify users within their Organization about the requirement to register for MFA in order to continue to have access to the ECX portal.
Registering device(s) for MFA
- The first time you attempt to log in to the ECX portal after your Organization’s Master Admin has opted-in for MFA, you will be prompted with an MFA Introduction screen as shown below (Figure 2). Select “Continue” to advance to the alternate device registration options.
- You will be presented with 4 different alternate authentication methods as shown in Figure 3. Equinix recommends that you register at least two alternate authentication methods of your choice. You must finish registering one authentication method completely before registering other authentication methods.
** Note that the method you select first will be the primary alternate authentication method when you finish registration. Also, selecting the “Cancel” button at any point in this process will clear all registration methods previously configured.
- Methods of authentication:
- When selecting SMS/Text, you will need to select your home country and provide a mobile number (Figure 4).
When you click “Next”, you will be presented with a screen to enter the registration code/OTP that will be sent to the mobile number you provided (Figure 5).
Enter the OTP in the provided field and click “Next”. You will see a screen notifying of you of successful device registration (Figure 6). You will also have the option of registering another authentication method (recommended) or finishing the registration process here.
Clicking on “Register Another” will return you to the Authentication methods screen.
** Note that you also have options at this point to change your primary authentication device, add another authentication method, reset the process and start over, or finish registration.
- When selecting Email, you will need to provide an email address where the OTP will be sent (Figure 7).
- When you click “Next”, you will be presented with a screen to enter the registration code/OTP that will be sent to the email address you provided (Figure 8).
Enter the OTP in the provided field and click “Next”. You will see a screen notifying of you of successful device registration (Figure 9). You will also have the option of registering another authentication method or finishing the registration process here.
- If selecting Desktop App, upon clicking “Next”, you will be required to first install the PingID application on your desktop (Figure 10). Click on the appropriate download icon based on your computer OS and follow the instructions to install the application.
After this is done, select Desktop App and you will be presented with a “Pairing Key”. Open the PingID desktop application, enter this pairing key and select “Pair”. You will be presented with a registration success screen. You can register another device or finish the registration process at this point.
- If selecting Mobile App, you will be required to first download the PingID mobile app for your iOS or Android device from the app store on your smartphone. After this is done, select “Mobile App’ and click “Next”. You will be shown a QR code as shown in Figure 11 below.
You will need to scan the QR code into the PingID app on your smartphone by framing the code within the scanning window of the application.
Alternatively, you can manually enter the pairing key shown on the screen into the PingID app on your phone. You will be prompted with a success message. You can register another device or finish the registration process at this point.
- Once you have registered all the authentication methods you desire, select “Finish Registration”.
- The Registration Complete page will be displayed (Figure 12). Click “Continue to Sign On”. At this point, the system will automatically require you to authenticate using the first MFA method you registered.
Authenticating using MFA
- After you have registered your alternate authentication method(s), enter your username and password at the ECX portal login screen.
- You will see a pop-up to notify you that an OTP was sent to the primary method/device that you registered. Retrieve the OTP (from SMS, email, etc), enter it in the entry field provided, and click “Sign On” (Figure 13).
Authenticating using alternate registered device
- You can choose to use a different authentication device when authenticating, providing you registered an alternate device. After entering your username and password, when presented with the popup to enter your OTP, click on “Change Device” instead (see Figure 13 above).
- A list of your registered authentication devices will be displayed. The selected method will be identified with a green bar to its left. Select the alternate authentication method and click on “Sign On” (Figure 14).
Changing Primary Authentication Device
- If you registered an alternate device, you can change your default primary device. After entering your username and password, when presented with the popup to enter your OTP, click on “Change Device” instead (see Figure 13 above).
- You will be presented with all the registered devices. Click on “Settings” as shown in Figure 14.
- Flipping one of the toggles on the right to green will activate that method as your primary method (Figure 15).
** Please note that when editing primary authentication method, you will be required to authenticate with your existing method first.
- After changing the primary authentication mechanism, you will need to close your browser session and re-open another one to log into the ECX portal using your new primary authentication device.