Add multiple users via IDP

The IDP user provider allows the owner of an organization to create users for that organization using an identity management system that supports OpenID Connect (e.g., Microsoft Azure Active Directory). This way, you can set up IDP in my.anydesk II. Users from your organization will then be able to log in with SSO using the organization's ID and their company credentials.
	Prerequisites Configure IDP Set up IDP Mapper

In this chapter, you will learn what prerequisites are needed for IDP setup, how to configure IDP via the my.anydesk management console, and how to set up an IDP mapper. 

For more information about user provider types, see User Providers. 

Prerequisites

Before configuring IDP in my.anydesk II, you need to set up your identity provider first. You can use any third-party identity provider that supports OpenID Connect, such as Microsoft Azure Active Directory.

For IDP configuration in my.anydesk II, you will need the following data: 

• Client Secret. Copy and paste the URL to the Client Secret field when configuring IDP Setup.
• Application (Client ID). Copy and paste the URL into the Client ID field.
• Authorization endpoint. Copy and paste the URL into the Authentication URL field.
• Token endpoint. Copy and paste the URL into the Token URL field.

Configure IDP

You need to configure IDP to create a connection between my.anydesk II and your identity provider.

To configure IDP in my.anydesk II:

1. Open my.anydesk II and go to Organization. 
2. In the General section, click Edit. In the field User Provider, select IDP. 
3. In the Switch active provider window, select Proceed.
4. Scroll down to the IDP Setup section, click Edit and provide the following information:
   • Redirect URI - Generated automatically when the IDP setup is completed. Copy the Redirect URI value after finishing the setup and paste it to your respective identity provider.
   • Client ID - Copy the Application (Client ID) value from your IDP and paste it here. It is used to register my.anydesk as an OIDC client with your provider. 
   • Client Secret - Copy the Client Secret value from your IDP and paste it here. It is used to register my.anydesk as an OIDC client with your provider. 
   • Token URL - Copy the Token endpoint value from your IDP and paste it here. It returns the access tokens, ID tokens, and refreshes tokens to the client (my.anydesk).
   • Authorization URL - Copy the Authorization endpoint value from your IDP and paste it here. It is used for authentication and authorization of my.anydesk client.
   • Trust Email - Turn the toggle off to let users verify their email address via my.anydesk II. Turn the toggle on to disable my.anydesk II email verification.
   • Backchannel Logout - Turn on the toggle to enable the support of backchannel logout by configured IDP. If enabled, the Logout URL field must be provided.
   • Logout URL - Provide the endpoint to log out users from external IDP. Backchannel Logout must be enabled.
   • Allowed Clock Skew - Provide value in seconds (the default value is 0). It determines the acceptable skew when validating IDP tokens.
   • Default Scopes - The scopes included when requesting authorization. The default is openid. Provide a comma-separated list of additional scopes you want to request.
   • Validate Signatures - turn on the toggle to enable signature validation of configured IDP. If enabled, the JWKS URL field must be provided.
   • JWKS URL - URL where my.anydesk II can retrieve the keys for the configured IDP. Validate Signatures must be enabled.
     
5. Click Finish edit.  
6. After saving the identity provider, copy the assigned Redirect URI.
7. Open your identity provider and go to Authentication.

   ❗  Microsoft AzureAD identity provider is used in this example to showcase the procedure. You can use any other third-party identity provider.

8. Click Add a platform, select Web and paste the Redirect URI you copied after saving the identity provider in my.anydesk II.
   
9. Click Configure.

After completing the above steps, all users from your your identity provider will be able to sign in to my.anydesk II with SSO using the organization's ID.

Set up IDP mapper

You can map roles from your organization to users in my.anydesk II. This way, you do not need to assign roles to users manually.

First, you need to configure a group token in your identity provider. Then, in order to set up the IDP mapper, at least one role needs to already exist in the my.anydesk II management console. This role can then be mapped to a role within the identity provider.

After mapping the role(s), its status will change to mapped. This means that users can no longer be manually linked to that role. Deleting the IDP mapper will remove the mapped status, allowing you to manually link users to that role.

To set up the IDP mapper:

1. Open my.anydesk II and go to Organization. 
2. Scroll down to the IDP mapper section, click Create new IDP mapper and provide the following information:
   • Name - Enter the name for the IDP mapper.
   • Claim - Provide the following information:  
     • Key - Enter the key of the IDP attribute you wish to map.
     • Value - Enter the value of the IDP attribute you wish to map. 
   • Role - Select the role from the drop-down list that you wish to assign to the specified IDP user within the my.anydesk.com management console.  
     
3. Click Create new IDP mapper. 

If a user with matching key-value criteria logs into their my.anydesk II account, they will automatically have all the permissions assigned to the role they were mapped to.

Example

For example, if you want every user from your identity provider with the first name John to be given the administrator AnyDesk role, then for the Key field, enter FirstName (depending on the key in your IDP), for the Value field, enter John, and in the Role field, select admin.