Authenticating registrations using Identity Providers

This topic explains how to configure Pexip Infinity and your chosen Identity Provider to enable users to register their Pexip app for Windows using their SSO credentials. It covers:

Prerequisites
Configuring Identity Providers

Prerequisites

You must have configured Pexip Infinity with the aliases to be registered. For full instructions, see Registering devices to Pexip Infinity.
You must have configured Pexip Infinity with a supported Identity Provider. For full instructions, see Using Identity Providers.

Configuring Identity Providers

Registration alias

To use an Identity Provider to authenticate client registrations, when configuring the Identity Provider (Users & Devices > Identity Providers > Identity Provider Configuration) you must enter a value for the Registration Alias Attribute Name (SAML) or Registration Alias Claim Name (OpenID Connect).

The alias returned by the Identity Provider must match the alias being registered, otherwise the registration is not permitted.

Display name

When configuring the Identity Provider (Users & Devices > Identity Providers > Identity Provider Configuration) you can optionally enter a value for the Display Name Attribute Name (SAML) or Display Name Claim Name (OpenID Connect).

The name returned is used as the user's display name. If the field is blank, the user's alias is used as their display name.

Users cannot change the display name provided during registration. However, if they use their registered Pexip app for Windows to join a VMR that requires authentication and the VMR uses a different Identity Provider to that used for registration, their display name will be the name provided during the VMR authentication process.

Session duration and timeout

To prevent a user from authenticating with your Identity Provider and staying authorized indefinitely, the Pexip app for Windows periodically invalidates the session and requires users to re-authenticate their registration. If you have not customized the session timeout duration, the session will be invalidated 24 hours after successful authentication.

For OIDC IdPs, the session timeout duration is controlled via the required exp field of the JWT provided by the IdP.

For SAML IdPs, you customize the session timeout duration either:

via the SessionNotOnOrAfter attribute and value (if this is supported by your IdP), or
by configuring a SessionDuration custom attribute and value. For an example of how to do this for Microsoft Entra ID, see Microsoft Entra ID (formerly known as Azure AD).

Identity Provider groups

We recommend that you create a separate Identity Provider group specifically for authentication of app registrations, and this group contains a single Identity Provider. You then select this Identity Provider group when configuring your device aliases.