# Domain
## Overview
The **Domain** section displays domain usage and allows you to manage permissions at the domain level. Please refer to the sections below for more information on each tab.
## Usage Report
The **Usage Report** section allows you to generate various usage reports.
\
You can choose from the following report options:
| Report Type | Description |
| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------- |
| **General Usage Report** | View this domain's users, total user sessions, last login details, access counts, registration date, and usernames |
| **Login Report** | View account activity for this domain, including client IP addresses, the applications accessed, event types, and user emails |
| **Workgroup Report** | View this domain's workgroup activities, including event data for actions performed by each user |
You can select the days you want to include in the Usage report. Enter the email addresses of the users you wish to send the report to. A notification will appear, letting you know that the report will be sent to your email once it's complete.
Note: Usage reports can only be generated for the last 90 days. For any information older than 90 days, please contact Illumina Support.
## Password Management
{% hint style="info" %}
Note: If you have your Authentication Type configured to "SAML" Single Sign-On in the Authentication tab, this section will not be visible, and your configured SAML provider's password settings will be used.
{% endhint %}
In the **Password Management** section, you can configure different requirements for the passwords users generate when accessing the domain.
#### Strength of Password
These settings are designed to ensure passwords are as strong as possible.
* Choose a minimum password length between 8-10 characters.
* By default, the option to require one or more special characters is selected.
* By default, the option to require at least one digit is selected.
* By default, the option to require both lowercase and uppercase letters is selected.
#### Account lock-up
These settings control locking the account after too many unsuccessful login attempts.
* **Max unsuccessful tries**: Choose the number of failed login attempts that will trigger an account lock.
* **Reset time for lock-up account**: Choose the amount of time a user's account will remain locked after the specified number of incorrect password attempts before they can try logging in again.
#### Password re-use check
This setting ensures that a user cannot reuse the same password too many times. Users will be required to set a new password within a set period.
* Select the number of days to look back when checking for previously used passwords. For example, if you set this to 30 days, passwords used more than 30 days ago can be reused when a user is required to set a new password.
* Choose the number of last-used passwords that should not be allowed as a new password.
#### Password policy
The password policy is a text message displayed as an alert during the password selection process on the registration page.
## Session Management
In the **Session Management** section, you can configure settings for a user's session and inactivity timeout.
#### Idle session and JWT
These settings allow you to configure the idle session timeout and JWT expiration time.
* **User's idle session timeout in minutes**: Set the number of minutes a session can be idle before it times out. An idle session is one where the user is not actively interacting with the session. For example, if a user is working in a different tab and does nothing in their session, this would be considered an idle session. Accepted values are 5-60 minutes. To disable session timeout, set this value to -1.
* **JWT expiration time in minutes**: This setting determines the duration before the JWT token expires. The JWT (JSON Web Token) is used for securely transmitting information between parties, often for authentication and authorization purposes. It contains claims (such as user information) and is used to verify the user's identity for access to resources. Accepted values are 120 to 10,080 minutes (2 hours to 7 days).
#### User API Key
These settings allow you to configure the expiration and active limit for the API key.
* **API Key expiration time in days**: Set the number of days before the API key expires. To disable API key expiration, set this value to -1.
* **Active API Key limit**: Set the maximum number of active API keys that can be used at the same time for a user. This helps manage the number of concurrent API sessions a user can have, ensuring that resources are not overwhelmed by too many simultaneous requests.
## User Management
In the **User Management** section, you can manage users, administrators and service accounts.
### Users
In the **Users** tab, you can view a list of all domain users. You can search for a specific user using the search bar at the top.
Click "Manage" next to the user to view more details below the overview table, including information about the user's state and API keys.
In the **User State** overview, you can view details about the user and expire the account by selecting the "Expire User" checkbox.
In the **User API Keys** overview, you can view details of the user's API keys, including the name, status, creation date, expiry date, and the last time the key was used. To delete an API key, click the "Delete" button. Click the three dots next to the "Delete" button to view the roles associated with the API key. Make sure to click "Save" to apply any changes.
### Allowed Emails
In the **Allowed Emails** tab, you can specify which email addresses are allowed to join the domain. To add an email, type the emails or email suffixes, separated by commas, and click the "+" icon. Any allowed emails will appear at the bottom. To remove an email, click the red "X" next to it.
**Allowed Email Suffixes**: This option allows users to join the domain if their email contains a specified allowed suffix. Do not include the "@" symbol. It is not recommended to allow common email suffixes, such as gmail.com.
**Allowed Emails**: This option allows users to join the domain if their email exactly matches one of the allowed emails.
### Administrators
The **Administrators** tab is used to manage the domain's administrators and owners. You can view an overview of the names and emails of users who are currently administrators of the domain.
To remove an administrator, click the "remove" link on the right.
To add a domain owner, click the "Change Settings" link next to "Domain Owner". The domain owner is the primary administrator and main point of contact for users within the domain. They receive monthly emails about iCredit balances and are automatically assigned to any new orders placed for the domain. Assigning a domain owner will automatically make them a domain administrator and user. Once the domain owner field is filled, the domain owner cannot be removed, only replaced. You can update the domain owner at any time by entering a different email address. Note that the previous domain owner will remain a domain administrator.
To add or promote a user to an administrator role for the domain, click "Configure an Administrator," then enter the email address of the user and click "Check." You can then fill out the form and click "Save" to assign the user as an administrator.
### Domain Invitation
In the **Domain Invitation** tab, you can add one or more user emails to invite them to the domain. Be sure to separate the emails with a comma. Click "Invite" to send the invitations. An overview table will display each user's username, email, and the status of whether they have accepted the invitation. You can revoke their invitation by clicking the "Revoke" button.
### Service Accounts
In the **Service Accounts** tab, you can view the service accounts that have access to your domain. Service accounts are special accounts used by applications or services to interact with your domain without requiring a user to log in.
Click the checkbox to block service accounts if you want to disable existing service accounts and prevent the creation of new ones.
You can click "Manage" next to a service account to view more details below the overview table, including information about the account state and API keys. In the **Account State** overview, you can view details about the service account, such as its activation and expiration dates. Click the checkbox to expire the service account.
In the **API Keys** overview, you can view details of the account's API keys, including the name, status, creation date, expiry date, and the last time the key was used. To delete an API key, click the "Delete" button. Click the three dots next to the "Delete" button to view the roles associated with the API key. Make sure to click "Save" to apply any changes.
## Access Management
In the **Access Management** section, you can set IP addresses or CIDR blocks to restrict access to the application to only the specified addresses.
Using IP range-based authentication, you can control access by IP address, allowing or blocking access to specific addresses or ranges of addresses. Examples include 192.10.10.1, 192.255.10.\*, or 192.10.10.0/32. Be sure to separate multiple addresses with commas.
Select a preferred method of access management:
* **Create an allow-list for IP addresses/CIDR to allow access**: The IP addresses/CIDR block ranges you enter will be allowed access to the domain.
* **Create a block-list of IP addresses/CIDR to block access**: The IP addresses/CIDR ranges you enter will be blocked from accessing the domain.
## Authentication
In the **Authentication** section, you can configure the authentication type.
| Authentication Type | Description |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| **Default** | The default setting allows the Illumina Authentication System to manage user credentials. |
| **SAML** | Users are redirected to your Identity Provider (IdP) to authenticate via SAML 2.0. (see [Single Sign-on](#single-sign-on-sso) below). |
### Single Sign-on (SSO)
To enable logging into the platform using your organization's identity provider (IdP), a SAML configuration may be provided in the Authentication Configuration for the Illumina domain.
To configure SSO, follow these steps:
1. Verify your organization's DNS domain in Illumina Connected Software (ICS).
2. Create a SAML 2.0 application in your IdP.
3. Configure ICS with your IdP metadata and attribute mappings.
4. Switch your domain authentication to SAML and test.
#### Prerequisites:
* Must be configured with a domain administrator account for your Illumina domain
* Access to your IdP to configure the SP application
* Your IdP configurations
1. Metadata XML
2. SAML Attributes for EmailId, firstName, LastName
#### Configure DNS Domain
**Step 1: Create DNS Domain record**
1. Go to the [Admin Console](https://platform.login.illumina.com/iam) for your Illumina domain, and navigate to the **Domain** tab
2. Navigate to the **DNS Domain Management** menu.\
3. Enter your domain (e.g. company.com) and click **Add**
4. Copy the TXT record value for the new entry
**Step 2: Verify DNS Domain**
To confirm domain ownership, add a TXT record to your Domain Name System (DNS) host using the TXT Record Value. DNS propagation can take up to 72 hours. Illumina Connected Software automatically checks for the record during this time.
{% tabs %}
{% tab title="AWS Route 53" %}
1. To add your TXT record to AWS, see [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html).
2. Wait up to 72 hours for TXT record verification.
3. After the record is live, go to **DNS** **Domain management** in the Admin Console and select **Verify**.
{% endtab %}
{% tab title="Google Cloud DNS" %}
1. To add your TXT record to Google Cloud DNS, see [Verifying your domain with a TXT record](https://cloud.google.com/identity/docs/verify-domain-txt).
2. Wait up to 72 hours for TXT record verification.
3. After the record is live, go to **DNS Domain management** in the Admin Console and select **Verify**.
{% endtab %}
{% tab title="GoDaddy" %}
1. To add your TXT record to GoDaddy, see [Add a TXT record](https://www.godaddy.com/help/add-a-txt-record-19232).
2. Wait up to 72 hours for TXT record verification.
3. After the record is live, go to **DNS Domain management** in the Admin Console and select **Verify**.
{% endtab %}
{% tab title="Other providers" %}
1. Sign in to your domain host.
2. Add a TXT record to your DNS settings and save the record.
3. Wait up to 72 hours for TXT record verification.
4. After the record is live, go to **DNS** **Domain management** in the Admin Console and select **Verify**.
{% endtab %}
{% endtabs %}
#### Connect SSO
**Step 1: Create SSO connection in IdP**
The Illumina Connected Software service provider (SP) application uses the following configuration:
* **Entity ID**: `https://login.illumina.com/saml-service/saml/metadata`
* **ACS (Assertion Consumer Service) URL**: `https://login.illumina.com/saml-service/saml/SSO`
* **Binding**: HTTP-POST
* **NameID Format**: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
{% tabs %}
{% tab title="Okta" %}
1. Sign in to your Okta account and open the Admin portal.
2. Select **Administration** and then **Create App Integration**.
3. Select **SAML 2.0**, then **Next**.
4. Name your app "Illumina Connected Software".
5. Optional. Upload a logo.
6. Paste the service provider configuration values from above:
* ACS URL -> **Single Sign On URL**
* Entity ID -> **Audience URI (SP Entity ID)**
7. Configure the following settings:
* Name ID format: `EmailAddress`
* Application username: `Email`
* Update application username on: `Create and update`
8. Under **Attribute Statements** enter the following Name->Value attributes for the email address, first name, and last name. Make sure the **Name format** is set to “URI Reference.”
1. email -> user.email
2. first -> user.firstName
3. last -> user.lastName
9. Select **Next**.
10. Select the **This is an internal app that we have created** checkbox.
11. Select **Finish**.
{% endtab %}
{% tab title="Microsoft Entra ID" %}
1. Sign in to Microsoft Entra (formerly Azure AD).
2. Select **Default Directory** > **Add** > **Enterprise Application**.
3. Choose **Create your own application**, name it "Illumina Connected Software", and choose **Non-gallery**.
4. After creating your app, go to **Single Sign-On** and select **SAML**.
5. Select **Edit** on the **Basic SAML configuration** section.
6. Edit **Basic SAML configuration** and paste values from above:
* Entity ID -> **Identifier**
* ACS URL -> **Reply URL**
7. Save the configuration.
8. From the **SAML Signing Certificate** section, download the **Federation Metadata XML**.
{% endtab %}
{% endtabs %}
**Step 2: Connect Illumina Connected Software to your IdP**
Complete the integration by pasting your IdP values into Illumina Connected Software
1. Go to the [Admin Console](https://platform.login.illumina.com/iam) for your Illumina domain, and navigate to the **Domain** tab.
2. Navigate to the **Authentication** menu and enable the **SAML** Authentication Type.
{% tabs %}
{% tab title="Okta" %}
1. In Okta, select your app and go to **View SAML setup instructions**.
2. Copy the Identity Provider **Single Sign-in URL**.
3. Copy and paste into a text editor the **IDP Metadata**. Save the file.
4. Return to the Illumina Connected Software Admin Console.
5. Paste the **Sign-in URL** in the IdP URL field
6. Upload the IDP Metadata file from Step 3 to the "Select SAML Configuration File" file uploader.
7. Add the SAML Attribute Mappings
* EmailId -> email
* Last name -> last
* First name -> first
8. Review and select **Save**.
{% endtab %}
{% tab title="Microsoft Entra ID" %}
1. In Entra ID, copy the **Login URL** from the Configuration URLs
2. Return to the Illumina Connected Software Admin Console.
3. Paste the **Login URL** in the IdP URL field.
4. Upload the **Federation Metadata XML** file to the "Select SAML Configuration File" file uploader.
5. Add the SAML Attribute mappings:
* EmailId ->
* Last name ->
* First name ->
6. Review and select **Save**.
{% endtab %}
{% endtabs %}
Allow 15 minutes for the Illumina Service Provider to update with the provided information. To confirm SAML configuration changes, attempt to login using a qualified e-mail (e.g. @company.com).
## Collaboration Management
In the **Collaboration Management** section, you can configure the collaboration domain namespaces.
This allows you to invite users to a workgroup via Collaborative Enterprise. Enter the domain namespace and click the + button to add it.
## Role Management
In the **Role Management** section, domain admins can create and manage custom roles with unique permission settings that provide access control within workgroup.
{% hint style="warning" %}
Users should be cautious while applying custom roles as incorrect setup might lead to restricted access and unexpected issues.
{% endhint %}
You can search by application name or role name at the top. In the overview table, you'll see a list of applications along with their associated roles. You can click on each role to view detailed information via a hyperlink.
To create a new role, click the "Create role" button. Select an application from those available for custom roles, enter role name and a role description (optional), and select at least one permission for setup. You can edit the role after saved. Selecting application is not available for editing.
## Multi-Factor Authentication
{% hint style="info" %}
Note: If you have your Authentication Type configured to "SAML" Single Sign-On in the Authentication tab, this section will not be visible, and your configured SAML provider's MFA configuration will be used.
{% endhint %}
In the **Multi-Factor Authentication** section, you can enable Multi-Factor Authentication (MFA) for the domain by selecting the checkbox.
#### Allowed Days to skip MFA setup
You can specify the number of allowed days to skip MFA setup. This means users will have a grace period (specified number of days) to complete their MFA setup before it becomes mandatory.
#### Max unsuccessful tries
You can also set the maximum number of unsuccessful attempts from the dropdown menu. This controls how many failed MFA attempts are allowed before further actions, such as account lockout or additional security measures, are triggered.
%20(1)%20(1)%20(1).png?alt=media)
%20(1)%20(1).png?alt=media)
%20(1)%20(1).png?alt=media)
%20(1)%20(1).png?alt=media)
%20(1).png?alt=media)
%20(1).png?alt=media)
.png?alt=media)
%20(1).png?alt=media)
%20(1).png?alt=media)
%20(1).png?alt=media)
%20(1).png?alt=media)
%20(1).png?alt=media)
%20(1)%20(1).png?alt=media)
%20(1)%20(1).png?alt=media)
%20(1).png?alt=media)
%20(1).png?alt=media)
%20(1)%20(1).png?alt=media)
%20(1)%20(1).png?alt=media)
%20(1)%20(1).png?alt=media)