Domain
Last updated
Last updated
The Domain section displays domain usage and allows you to manage permissions at the domain level. Please refer to the sections below for more information on each tab.
The Usage Report section allows you to generate various usage reports.
You can choose from the following report options:
General Usage Report
View this domain's users, total user sessions, last login details, access counts, registration date, and usernames
Login Report
View account activity for this domain, including client IP addresses, the applications accessed, event types, and user emails
Workgroup Report
View this domain's workgroup activities, including event data for actions performed by each user
You can select the days you want to include in the Usage report. Enter the email addresses of the users you wish to send the report to. A notification will appear, letting you know that the report will be sent to your email once it's complete.
In the Password Management section, you can configure different requirements for the passwords users generate when accessing the domain.
These settings are designed to ensure passwords are as strong as possible.
Choose a minimum password length between 8-10 characters.
By default, the option to require one or more special characters is selected.
By default, the option to require at least one digit is selected.
By default, the option to require both lowercase and uppercase letters is selected.
These settings control locking the account after too many unsuccessful login attempts.
Max unsuccessful tries: Choose the number of failed login attempts that will trigger an account lock.
Reset time for lock-up account: Choose the amount of time a user's account will remain locked after the specified number of incorrect password attempts before they can try logging in again.
This setting ensures that a user cannot reuse the same password too many times. Users will be required to set a new password within a set period.
Select the number of days to look back when checking for previously used passwords. For example, if you set this to 30 days, passwords used more than 30 days ago can be reused when a user is required to set a new password.
Choose the number of last-used passwords that should not be allowed as a new password.
The password policy is a text message displayed as an alert during the password selection process on the registration page.
In the Session Management section, you can configure settings for a user's session and inactivity timeout.
These settings allow you to configure the idle session timeout and JWT expiration time.
User's idle session timeout in minutes: Set the number of minutes a session can be idle before it times out. An idle session is one where the user is not actively interacting with the session. For example, if a user is working in a different tab and does nothing in their session, this would be considered an idle session. Accepted values are 5-60 minutes. To disable session timeout, set this value to -1.
JWT expiration time in minutes: This setting determines the duration before the JWT token expires. The JWT (JSON Web Token) is used for securely transmitting information between parties, often for authentication and authorization purposes. It contains claims (such as user information) and is used to verify the user's identity for access to resources. Accepted values are 120 to 10,080 minutes (2 hours to 7 days).
These settings allow you to configure the expiration and active limit for the API key.
API Key expiration time in days: Set the number of days before the API key expires. To disable API key expiration, set this value to -1.
Active API Key limit: Set the maximum number of active API keys that can be used at the same time for a user. This helps manage the number of concurrent API sessions a user can have, ensuring that resources are not overwhelmed by too many simultaneous requests.
In the User Management section, you can manage users, administrators and service accounts.
In the Users tab, you can view a list of all domain users. You can search for a specific user using the search bar at the top.
Click "Manage" next to the user to view more details below the overview table, including information about the user's state and API keys.
In the User State overview, you can view details about the user and expire the account by selecting the "Expire User" checkbox.
In the User API Keys overview, you can view details of the user's API keys, including the name, status, creation date, expiry date, and the last time the key was used. To delete an API key, click the "Delete" button. Click the three dots next to the "Delete" button to view the roles associated with the API key. Make sure to click "Save" to apply any changes.
In the Allowed Emails tab, you can specify which email addresses are allowed to join the domain. To add an email, type the emails or email suffixes, separated by commas, and click the "+" icon. Any allowed emails will appear at the bottom. To remove an email, click the red "X" next to it.
Allowed Email Suffixes: This option allows users to join the domain if their email contains a specified allowed suffix. Do not include the "@" symbol. It is not recommended to allow common email suffixes, such as gmail.com.
Allowed Emails: This option allows users to join the domain if their email exactly matches one of the allowed emails.
The Administrators tab is used to manage the domain's administrators. You can view an overview of the names and emails of users who are currently administrators of the domain. To remove an administrator, click the "Remove" button on the right.
To add or promote a user to an administrator role for the domain, click "Configure an Administrator," then enter the email address of the user and click "Check." You can then fill out the form and click "Save" to assign the user as an administrator.
In the Domain Invitation tab, you can add one or more user emails to invite them to the domain. Be sure to separate the emails with a comma. Click "Invite" to send the invitations. An overview table will display each user's username, email, and the status of whether they have accepted the invitation. You can revoke their invitation by clicking the "Revoke" button.
In the Service Accounts tab, you can view the service accounts that have access to your domain. Service accounts are special accounts used by applications or services to interact with your domain without requiring a user to log in.
Click the checkbox to block service accounts if you want to disable existing service accounts and prevent the creation of new ones.
You can click "Manage" next to a service account to view more details below the overview table, including information about the account state and API keys. In the Account State overview, you can view details about the service account, such as its activation and expiration dates. Click the checkbox to expire the service account.
In the API Keys overview, you can view details of the account's API keys, including the name, status, creation date, expiry date, and the last time the key was used. To delete an API key, click the "Delete" button. Click the three dots next to the "Delete" button to view the roles associated with the API key. Make sure to click "Save" to apply any changes.
In the Access Management section, you can set IP addresses or CIDR blocks to restrict access to the application to only the specified addresses.
Using IP range-based authentication, you can control access by IP address, allowing or blocking access to specific addresses or ranges of addresses. Examples include 192.10.10.1, 192.255.10.*, or 192.10.10.0/32. Be sure to separate multiple addresses with commas.
Select a preferred method of access management:
Create an allow-list for IP addresses/CIDR to allow access: The IP addresses/CIDR block ranges you enter will be allowed access to the domain.
Create a block-list of IP addresses/CIDR to block access: The IP addresses/CIDR ranges you enter will be blocked from accessing the domain.
In the Authentication section, you can configure the authentication type.
Default
The default setting allows the Illumina Authentication System to manage user credentials.
SAML
To enable logging into the platform using your organization's identity provider (IDP), a SAML configuration may be provided in your account settings.
Must be configured with an tenant administrator account for your Illumina enterprise domain
Access to your IDP system to configure the Illumina Service Provider
Your IDP configurations
Metadata XML
SAML Attributes for EmailId, firstName, LastName
Navigate to the domain tab and choose the authentication menu item on the left pane. Change the Authentication Configuration to "SAML".
Upload your IDP Metadata XML file.
Register the Illumina Service Provider (SP) in your IDP system by downloading the illumina_sp.xml file.
Enter the relevant IDP/SAML attributes (Contact your organization's technical support team for these details).
Allow 15 minutes for the Illumina Service Provider to update with the provided information. To confirm SAML configuration changes, go to the domain login URL https://<domain>.login.illumina.com. This should now redirect to the configured IDP login page.
In the Collaboration Management section, you can configure the collaboration domain namespaces.
This allows you to invite users to a workgroup via Collaborative Enterprise. Enter the domain namespace and click the + button to add it.\
In the Role Management section, domain admins can create and manage custom roles with unique permission settings that provide access control within workgroup.
Users should be cautious while applying custom roles as incorrect setup might lead to restricted access and unexpected issues.
You can search by application name or role name at the top. In the overview table, you'll see a list of applications along with their associated roles. You can click on each role to view detailed information via a hyperlink.
To create a new role, click the "Create role" button. Select an application from those available for custom roles, enter role name and a role description (optional), and select at least one permission for setup. You can edit the role after saved. Selecting application is not available for editing.
In the Multi-Factor Authentication section, you can enable Multi-Factor Authentication (MFA) for the domain by selecting the checkbox.
You can specify the number of allowed days to skip MFA setup. This means users will have a grace period (specified number of days) to complete their MFA setup before it becomes mandatory.
You can also set the maximum number of unsuccessful attempts from the dropdown menu. This controls how many failed MFA attempts are allowed before further actions, such as account lockout or additional security measures, are triggered.
Note: Usage reports can only be generated for the last 90 days. For any information older than 90 days, please contact Illumina Support.
Note: If you have your Authentication Type configured to "SAML" Single Sign-On in the Authentication tab, this section will not be visible, and your configured SAML provider's password settings will be used.
Note: If you have your Authentication Type configured to "SAML" Single Sign-On in the Authentication tab, this section will not be visible, and your configured SAML provider's MFA configuration will be used.
The user is redirected to the SAML provider for authentication (see below).
