Warning: This document contains instructions for adjusting synchronization settings that can adversely affect your device data, user data, and/or user mapping settings in Incident IQ. As such, only qualified personnel should proceed with making adjustments to the settings outlined in this document.
The Rapid Identity SSO Integration App allows administrators to facilitate logins through Rapid Identity single-sign on in Incident IQ. This also allows districts the ability to automatically populate and update user data in iiQ based on information from your local active directory server. The following guide is designed to provide an in-depth overview on how to manage the Rapid Identity SSO App in iiQ.
Not what you were looking for? Perhaps one of these other guides will help:
- Installing the Rapid Identity SSO App - A guide designed to provide step-by-step instructions on how to install the Rapid Identity SSO App in Incident IQ.
- Managing Incident IQ Apps - A guide designed to provide a brief overview of Incident IQ Apps and how to access app management.
You can use the following links below to quickly navigate to a specific section in this document. To quickly return to this index simply use the Return to Index link located at the end of any section.
- Accessing the Rapid Identity SSO App Management
- Overview Tab
- Identity Provider Settings Tab
- Login History Tab
- User Mappings Tab
- Location Mappings Tab
- Role Mappings Tab
- Sync History Tab
- User History Tab
- Sync Executable Tab
Accessing the Rapid Identity SSO App Management
Navigate to the Apps Management page and select the Manage button on the Rapid Identity SSO App.
This will take you to the Rapid Identity SSO App management page where you will be able to select the following tabs:
- Overview tab where you can view basic user and group data, reset your authentication status or run a manual sync with your active directory.
- Identity Provider Settings tab allows you to configure your Rapid Identity metadata, SAML attribute mappings, miscellaneous logic used during login attempts, as well as your login button.
- Login History tab where you can review both successful and unsuccessful login attempts made by your district users.
- User Mappings tab where you can update your filter settings and email translations.
- Location Mappings tab where you can change the default location users will automatically map to if they do not have an existing mapping in the system.
- Role Mappings tab where you can change the role users will automatically map to if they do not have an existing mapping in the system.
- User History tab where you can look up individual users data coming in from Rapid Identity.
- Sync Executable tab allows you to setup, update, and download your sync executable file.
This tab provides you with a brief summary of your current users, groups, and changes made to users in Incident IQ during the last sync with Rapid Identity.
In the General Settings tab you may enable the following settings:
- Enable User Login: This allows users to log into Incident IQ through the Rapid Identity SSO. If this option is disabled, then all accounts authenticated through Rapid Identity will be unable to log in.
- Enable User Sync: This option allows Incident IQ to update user accounts with data provided by the iiQconnectors app. Without this option, the ability to run nightly or manual user syncs will become disabled.
Also, you have the option of forcing a manual sync with your active directory by selecting Start New Sync. Please note that this import will only update user data based on the last data sent to Incident IQ through the connectors app. If you are running a manual sync during the day you will first want to manually run the connectors app to send over a new batch of user data.
Lastly, you can use the Download Service Provider Metadata link to access the Incident IQ metadata url. This is only needed during the installation process or when making changes to the Incident IQ vendor account in Rapid Identity.
Identity Provider Settings
This tab allows you to setup and configure your Rapid Identity metadata, SAML attribute mappings, miscellaneous logic used during login attempts.
Underneath the Identity Provider Setup, you may select whether your algorithm uses SHA-1 or SHA-256. Additionally, the metadata url used in this tab can be found in your Rapid Identity console under the Incident IQ vendor account created while installing the app. You do not have to populate or edit the metadata document as this is filled in automatically when you save your metadata url.
The SAML Attribute Mapping section allows you to determine what field Incident IQ should use when looking up users, and what field in Rapid Identity iiQ should be checking against.
The Identity Provider Options allows you to configure miscellaneous options used during user logins. They are as follows:
- Allow Identity Provider Initiated SSO: This option should be toggled on if your login requests originate, or can originate, from outside of Incident IQ.
- Allow Replay Attacks: This option should only be used if your users are experiencing "InResponseTo" errors when attempting to log in.
- Omit Assertion Signature Check: This will allow you assertions to omit the assertion signature check.
- Quirks Mode: This allows backwards compatibility for users accessing the site through webpages designed for older browsers.
- Don't Request Signed Assertion: This will allow your assertions to return unsigned.
- Ignore NameID length requirement: When this option is checked, the minimum length of the NameID will not be validated.
This tab allows you to search for all attempted logins to Incident IQ through Rapid Identity SSO. This includes the ability to see both successful and unsuccessful logins.
If needed, you can use the Filter Assertions or Login Results options to narrow the login results displayed on this page.
All login attempts that match your current search settings will appear at the bottom of the tab.
User Mappings Tab
From here, you can change your email filter and translation information, as well as your user creation, updating, and deletion settings.
Under the Filter section, you can select to include or exclude users being imported based on their email address, username, OU fragment(s), and group(s). Please note, you can only filter by one email address.
- Example Email Filter: If you set a filter for "@iiq.k12.ga.us" in the email section, Incident IQ will automatically ignore these email addresses containing this string during a sync.
- Example OU Filter: Setting a OU Filter of "OU=Guests" will ensure that all users that belong to this particular OU will not import during a sync.
Next is the Mapping section.Here you control how fields are populated in Incident IQ.
- Translate Username: This enables Incident IQ to translate username pulled from Enboard into a uniform format when storing in iiQ.
- Translate Email: This enables Incident IQ to translate email addresses pulled from Rapid Identity into a uniform format when storing in iiQ. This is useful, and often necessary when using Incident IQ in conjunction with programs such as Infinite Campus.
- Example: Setting a translation to find "@k12.us.com" and replace it with "@iiq.k12.ga.us" will ensure that all "@k12.us.com" addresses are updated and stored as "@iiq.k12.ga.us" in iiQ only. This will not make any changes to the addresses stored within Rapid Identity itself.
- Phone Number Mapping: select if you want to import phone numbers and the mapping process.
Control how users are populated in iiQ under the Import Handling section.
- Create User: When this box is checked, a new user will be created in Incident IQ for any new users found during the initial import from Rapid Identity, as well as any new users found when a sync is run.
- Update User: When enabled, a user will be updated in Incident IQ when any changes are found during a sync. This will update custom fields as well.
- Update Custom Fields: When enabled, only update custom fields for users when any changes are found during a sync.
- Set to 'No Access': When enabled, if a user is removed or disabled in Enboard change their role to no access in Incident IQ.
The Map custom values section allows you to select additional values you want imported and map them to default or custom fields in iiQ. This gives you the ability to pull in custom data fields and custom view column options. Click on the Add button.
Next, fill out the following field mapping options:
Please note, there may be pre-configured mapping and they can not be changed.
- Select the custom value
- Select the iiQ field the custom value should map too. You can map to default field or map to a custom field.
- If you map to a Custom Field, you will need to set a field name, select a field type (text, number, or date), and set whether the field information needs to be searchable through filters.
Please note, any custom field added here will need to also be setup in the sync executable as well in order for Incident IQ to pull this data field during a sync. Please refer to the Sync Executable tab for additional information on making changes to connectors executable.
Under the Additional Options section you can customize the Login Button Text. By default, the login button text is set to "Rapid Identity SSO."
Last section is Field Mappings. Controls which fields this app should update.
Location Mappings Tab
This tab allows you to select or modify your current location mappings between Incident IQ and Rapid Identity. The default location acts as a fallback for user accounts that do not match any of your other custom location mappings. Please note that if no custom role mappings are set, then all users brought into the system will default to this location.
When mapping to locations, you may use groups, OU fragments, location name, or any combination of the three. The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective locations. Please note, when using OUs you will want to structure them in the same format as the examples below:
- OU=Cold Harbor
- OU=Class of 2024
Role Mappings Tab
This tab allows you to select or modify which user groups are assigned to which role in Incident IQ. The default location acts as a fallback for user accounts that do not match any of your other custom role mappings. Please note that if no custom role mappings are set, then all users brought into the system will default to this role.
When mapping to roles, you may use groups, OU fragments, role name, or any combination of the three. The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective roles. Please note, when using OUs you will want to structure them in the same format as the examples below:
- OU=Staff and Faculty
- OU=IT Staff
Sync History Tab
This tab allows you to view your sync history between Rapid Identity SSO and Incident IQ. Every sync, whether it completed successfully or not, is logged for reference purposes. Clicking on View Details will display the number of users that have been added, updated, no change, set to no access during the course of that specific sync. To the right you can Download SSO Data.
Also, you can filter the sync data under the Details Status section. Select the status you would like to filter by and start entering in the users name or email address. Clicking on the users link will take you to the user history tab.
User History Tab
This tab allows you to search for any user's Rapid Identity information. This includes their Rapid Identity ID, email addresses, Group Membership, and their sync history. This information is useful in quickly determining if the user is affected by any email translations, establishing their group mappings, and identifying if syncing between the systems is being suppressed.
Sync Executable Tab
This tab allows you to configure your sync executable file used to access and send data to Incident IQ. Please note that if you make any changes to this page after initial setup, you will need to redownload a new executable file and replace your old one in order for these changes to take effect during syncs.
At least one profile should be setup on this page with the following data provided:
- AD Username
- AD Password
- AD Domain
- AD Server IP
You may also setup specific OUs to search for during syncs so the system only pulls user data from those. However, we recommend leaving the filters blank.
Also, you may also pull in additional attributes through the executable during syncs if needed. Please note, if you have any custom fields mapped in the Users Mapping tab, you will need to ensure they are properly setup here as well.