# Domain ## Overview The **Domain** section of the Admin Console displays domain-level settings and allows administrators to manage users, security policies, access controls, and integrations. To view Domain settings, navigate to **Admin** from Connected Home and select **Domain** from the left navigation menu. The Domain settings page contains the following sections, accessible from the left navigation submenu: | Section | Description | | ------------------- | ------------------------------------------------------------------------ | | **Usage reports** | Generate reports on user sessions, login activity, and workgroup events. | | **Sessions** | Configure idle session timeout, JWT expiration, and API key settings. | | **User management** | Manage domain users, allowed emails, and service accounts. | | **Access** | Restrict domain access by IP address or CIDR range. | | **Collaboration** | Configure collaboration domain namespaces. | | **Roles** | Create and manage custom roles with unique permission settings. | | **Authentication** | Configure the authentication type (Default or SAML SSO). | | **Passwords** | Set password strength, reuse, and lockout policies. | | **DNS domain** | Verify DNS domain ownership for SSO configuration. | | **About** | View the domain name, namespace, and ID. | ## About The **About** section displays basic information about the domain: the domain **Name**, **Namespace**, and **ID**. Click **Change name** to update the domain display name. ![About section showing domain name, namespace, and ID](/files/DZjlqnkvAgT54tjiwYLa) ## Usage Reports The **Usage reports** section allows you to generate reports on domain activity. ![Usage reports section with report type selection, date range, and recipients](/files/A9TIbnV1lfnHYdzJZcX9) Select a report type: | Report Type | Description | | ------------------------ | ---------------------------------------------------------------------------------------------------- | | **General Usage Report** | User sessions, last login details, registration date, and usernames. | | **Login Report** | Account activity including client IP addresses, applications accessed, event types, and user emails. | | **Workgroup Report** | Workgroup activities, including event data for actions performed by each user. | Select a **Date range** and enter the email addresses of the **Recipients** who should receive the report. Click **Generate reports** to submit. {% hint style="info" %} Usage reports can only be generated for the last 90 days. For information older than 90 days, contact Illumina Support. {% endhint %} ## Sessions The **Sessions** section allows you to configure session timeout and API key settings. ![Sessions section showing idle session timeout, JWT expiration, and API key settings](/files/JcTPxKglYU0ADN93UiNu) #### Idle Session and JSON Web Token (JWT) | Setting | Description | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | | **Session timeout** | The number of minutes a session can be idle before it times out. Accepted values are 5–60 minutes. Set to -1 to disable. | | **JSON Web Token (JWT) expiration** | The duration before the JWT token expires. Accepted values are 120–10,080 minutes (2 hours to 7 days). | #### API Keys | Setting | Description | | ----------------------- | ------------------------------------------------------------------------------ | | **API keys expiration** | The number of days before an API key expires. Set to -1 to disable expiration. | | **Max active API keys** | The maximum number of active API keys a user can have at the same time. | Click **Edit** to modify these settings. ## User Management The **User management** section contains three tabs: **Users**, **Allowed emails**, and **Service accounts**. ### Users The **Users** tab displays a list of all domain users with their name, email, domain role, and action buttons. ![User management Users tab showing domain owner, search bar, user table with name, email, domain role, and actions](/files/CBhh3fLN4ys6Obxx0mhQ) The **Domain owner** is displayed at the top of the page. Use the **Search username** box and **All users** dropdown to filter by name or role. Each user row shows: | Column | Description | | --------------- | ---------------------------------------------------- | | **Name** | The user's display name. Click to view user details. | | **Email** | The user's email address. | | **Domain role** | Admin or User. | | **Actions** | View user details or delete the user. | #### Change Domain Owner To change the domain owner, click **Change owner** at the top of the Users tab. ![Change domain owner modal with Owner email field](/files/SILbyr7pRSvKUd5Lfehj) The domain owner is the primary administrator and main point of contact for the domain. They receive monthly emails about iCredit balances and are automatically assigned to any new orders placed for the domain. Enter the new owner's email address and click **Change owner**. {% hint style="info" %} Assigning a domain owner automatically makes them a domain administrator. The previous domain owner will remain a domain administrator. {% endhint %} #### Invite Users To invite users to the domain, click **+ Invite** at the top of the Users tab. Enter one or more email addresses to send domain invitations. ### Allowed Emails The **Allowed emails** tab controls which email addresses can join the domain. ![Allowed emails tab showing allowed email addresses and allowed email suffixes](/files/UDmXxGB2AjSIk631ExQr) | Setting | Description | | --------------------------- | ------------------------------------------------------------------------------------------------------ | | **Allowed email addresses** | Users can join the domain if their email exactly matches one of these addresses. | | **Allowed email suffixes** | Users can join the domain if their email contains one of these suffixes (do not include the @ symbol). | {% hint style="warning" %} It is not recommended to allow common email suffixes such as gmail.com. {% endhint %} Click **Edit** to add or remove allowed emails and suffixes. ### Service Accounts The **Service accounts** tab displays special accounts used by applications or services to interact with the domain without requiring a user to log in. ![Service accounts tab showing PGUID, account status, activation date, expiration date, application, and actions](/files/pLjPS7Et59DytoFzg0o9) Toggle **Enable service accounts** to allow or block service accounts. When disabled, existing service accounts are blocked and new ones cannot be created. The service accounts table shows each account's PGUID, status, activation date, expiration date, associated application, and action buttons. Click the **manage** icon in the Actions column to view the account's state and API keys. ## Access The **Access** section allows you to restrict domain access by IP address or CIDR range. ![Access section showing method of access management and IP address/CIDR range fields](/files/gDpD10dqK2ZuEK2tpAJM) Select a method of access management: * **Create an allow-list for IP addresses/CIDR to allow access** — Only the specified addresses will be allowed. * **Create a block-list of IP addresses/CIDR to block access** — The specified addresses will be blocked. Enter IP addresses or CIDR ranges separated by commas (e.g., `192.10.10.1`, `192.255.10.*`, `192.10.10.0/32`). Click **Edit** to modify these settings. ## Collaboration The **Collaboration** section allows you to configure the collaboration domain namespaces for inviting users via Collaborative Enterprise. ![Collaboration section showing allowed namespaces](/files/gJoU3waU5FuOo2Eau1gM) Enter a domain namespace and click **Edit** to add it to the allowed list. Users from these namespaces can be invited to workgroups via Collaborative Enterprise. ## Roles The **Roles** section allows domain administrators to create and manage custom roles with unique permission settings that provide access control within workgroups. {% hint style="warning" %} Be cautious when applying custom roles — incorrect setup may lead to restricted access and unexpected issues. {% endhint %} Use the **Search** box to filter by application name or role name. The table displays each role's name, associated application, description, type (System or Custom), last modified date, and available actions. Click a role name to view its detailed permissions. To create a new role, click **+ Create role**, select an application, enter a role name and optional description, and select at least one permission. ## Authentication The **Authentication** section allows you to configure the domain's authentication method. ![Authentication section showing authentication type and multi-factor authentication settings](/files/0DLUXEuFJRQmo1INOWpB) #### Authentication Type | Type | Description | | ----------- | ------------------------------------------------------------------------------------------------------------------------------------ | | **Default** | The Illumina Authentication System manages user credentials. | | **SAML** | Users are redirected to your Identity Provider (IdP) to authenticate via SAML 2.0 (see [Single Sign-On](#single-sign-on-sso) below). | #### Multi-Factor Authentication (MFA) {% hint style="info" %} If your Authentication Type is configured to SAML, MFA settings are managed by your SAML provider. {% endhint %} | Setting | Description | | -------------------------------------- | -------------------------------------------------------------------------------- | | **Require MFA** | Enable or disable multi-factor authentication for the domain. | | **Users need to configure MFA within** | The number of days users have to complete MFA setup before it becomes mandatory. | | **Lock user account after** | The number of unsuccessful MFA attempts before the account is locked. | Click **Edit** to modify authentication settings. ### Single Sign-On (SSO) {% hint style="warning" %} SSO requires an Illumina Connected Software domain subscription. It is not available for BaseSpace Free Trial or BaseSpace Professional accounts, which do not include a domain. {% endhint %} To enable logging into the platform using your organization's identity provider (IdP), configure SAML in the Authentication section. To configure SSO, follow these steps: 1. Verify your organization's DNS domain in Illumina Connected Software (ICS). 2. Create a SAML 2.0 application in your IdP. 3. Configure ICS with your IdP metadata and attribute mappings. 4. Switch your domain authentication to SAML and test. #### Prerequisites * An active **Illumina domain subscription** * A domain administrator account for your Illumina domain * Access to your IdP to configure the SP application * Your IdP configurations: 1. Metadata XML 2. SAML Attributes for EmailId, firstName, LastName #### Configure DNS Domain **Step 1: Create DNS Domain record** 1. Go to the [Admin Console](https://platform.login.illumina.com/iam) for your Illumina domain, and navigate to the **Domain** tab. 2. Navigate to the **DNS domain** menu. ![DNS domain section showing domain verification table and DNS email exclusion](/files/DacxrbAHahO8ofOHvuzi) 3. Enter your domain (e.g., company.com) and click **Add**. 4. Copy the TXT record value for the new entry. **Step 2: Verify DNS Domain** To confirm domain ownership, add a TXT record to your Domain Name System (DNS) host using the TXT Record Value. DNS propagation can take up to 72 hours. Illumina Connected Software automatically checks for the record during this time. {% tabs %} {% tab title="AWS Route 53" %} 1. To add your TXT record to AWS, see [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html). 2. Wait up to 72 hours for TXT record verification. 3. After the record is live, go to **DNS domain** in the Admin Console and select **Verify**. {% endtab %} {% tab title="Google Cloud DNS" %} 1. To add your TXT record to Google Cloud DNS, see [Verifying your domain with a TXT record](https://cloud.google.com/identity/docs/verify-domain-txt). 2. Wait up to 72 hours for TXT record verification. 3. After the record is live, go to **DNS domain** in the Admin Console and select **Verify**. {% endtab %} {% tab title="GoDaddy" %} 1. To add your TXT record to GoDaddy, see [Add a TXT record](https://www.godaddy.com/help/add-a-txt-record-19232). 2. Wait up to 72 hours for TXT record verification. 3. After the record is live, go to **DNS domain** in the Admin Console and select **Verify**. {% endtab %} {% tab title="Other providers" %} 1. Sign in to your domain host. 2. Add a TXT record to your DNS settings and save the record. 3. Wait up to 72 hours for TXT record verification. 4. After the record is live, go to **DNS domain** in the Admin Console and select **Verify**. {% endtab %} {% endtabs %} #### Connect SSO **Step 1: Create SSO connection in IdP** The Illumina Connected Software service provider (SP) application uses the following configuration: * **Entity ID**: `https://login.illumina.com/saml-service/saml/metadata` * **ACS (Assertion Consumer Service) URL**: `https://login.illumina.com/saml-service/saml/SSO` * **Binding**: HTTP-POST * **NameID Format**: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` {% tabs %} {% tab title="Okta" %} 1. Sign in to your Okta account and open the Admin portal. 2. Select **Administration** and then **Create App Integration**. 3. Select **SAML 2.0**, then **Next**. 4. Name your app "Illumina Connected Software". 5. Optional: Upload a logo. 6. Paste the service provider configuration values from above: * ACS URL → **Single Sign On URL** * Entity ID → **Audience URI (SP Entity ID)** 7. Configure the following settings: * Name ID format: `EmailAddress` * Application username: `Email` * Update application username on: `Create and update` 8. Under **Attribute Statements**, enter the following Name → Value attributes. Make sure the **Name format** is set to "URI Reference." 1. email → user.email 2. first → user.firstName 3. last → user.lastName 9. Select **Next**. 10. Select the **This is an internal app that we have created** checkbox. 11. Select **Finish**. {% endtab %} {% tab title="Microsoft Entra ID" %} 1. Sign in to Microsoft Entra (formerly Azure AD). 2. Select **Default Directory** > **Add** > **Enterprise Application**. 3. Choose **Create your own application**, name it "Illumina Connected Software", and choose **Non-gallery**. 4. After creating your app, go to **Single Sign-On** and select **SAML**. 5. Select **Edit** on the **Basic SAML configuration** section. 6. Edit **Basic SAML configuration** and paste values from above: * Entity ID → **Identifier** * ACS URL → **Reply URL** 7. Save the configuration. 8. From the **SAML Signing Certificate** section, download the **Federation Metadata XML**. {% endtab %} {% endtabs %} **Step 2: Connect Illumina Connected Software to your IdP** ![Authentication section with SAML enabled, showing IdP URL, SAML configuration file upload, and attribute mappings](/files/gmFe63RbOm24wUUttUXg) Complete the integration by pasting your IdP values into Illumina Connected Software: 1. Go to the [Admin Console](https://platform.login.illumina.com/iam) for your Illumina domain, and navigate to the **Domain** tab. 2. Navigate to the **Authentication** menu and enable the **SAML** Authentication Type. {% tabs %} {% tab title="Okta" %} 1. In Okta, select your app and go to **View SAML setup instructions**. 2. Copy the Identity Provider **Single Sign-in URL**. 3. Copy and paste the **IDP Metadata** into a text editor. Save the file. 4. Return to the Illumina Connected Software Admin Console. 5. Paste the **Sign-in URL** in the IdP URL field. 6. Upload the IDP Metadata file to the "Select SAML Configuration File" file uploader. 7. Add the SAML Attribute Mappings: * EmailId → email * Last name → last * First name → first 8. Review and select **Save**. {% endtab %} {% tab title="Microsoft Entra ID" %} 1. In Entra ID, copy the **Login URL** from the Configuration URLs. 2. Return to the Illumina Connected Software Admin Console. 3. Paste the **Login URL** in the IdP URL field. 4. Upload the **Federation Metadata XML** file to the "Select SAML Configuration File" file uploader. 5. Add the SAML Attribute mappings: * EmailId → * Last name → * First name → 6. Review and select **Save**. {% endtab %} {% endtabs %} Allow 15 minutes for the Illumina Service Provider to update with the provided information. To confirm SAML configuration changes, attempt to log in using a qualified email (e.g., @company.com). ## Passwords The **Passwords** section allows you to configure password policies for domain users. {% hint style="info" %} If your Authentication Type is configured to SAML Single Sign-On, this section is not visible. Your SAML provider's password settings will be used instead. {% endhint %} ![Passwords section showing strength, reuse, and account lock settings](/files/oLZT0bH4fTALRybnD3ui) #### Strength | Setting | Description | | ------------------ | ----------------------------------------------------------- | | **Minimum length** | Choose a minimum password length between 8–10 characters. | | **Requirements** | Require special characters, digits, and mixed case letters. | #### Reuse | Setting | Description | | ------------------------------------------------- | ---------------------------------------------------------------------------- | | **Prevent reusing the previous** | The number of recent passwords that cannot be reused. | | **Only check for previous passwords in the past** | The number of days to look back when checking for previously used passwords. | #### Account Lock | Setting | Description | | ---------------------- | ---------------------------------------------------------------------------- | | **Lock account after** | The number of unsuccessful login attempts that will trigger an account lock. | Click **Edit** to modify password settings. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.connected.illumina.com/account-management/admin-console/domain.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.