Trimble Identity Federation FAQ

Are there costs associated with Trimble ID Federation?

Trimble Identity Federation is a free add-on service to Trimble ID. Customers who use Trimble ID can request a federation.

What is the process of configuring a federation?

The process of configuring a federation is determined by your identity provider and the protocol (either SAML or OIDC) your organization uses.

A Guided Federation is configured for all combinations of supported identity providers and protocols (except for Microsoft Entra ID with OIDC, which is Multi-Tenant). There are two processes for a Guided Federation, which is determined by your organization's protocol.

SAML Guided Federation:

Figure 1. Trimble ID SAML federation process

OIDC Guided Federation:

Figure 2. Trimble ID OIDC federation process

What is the time frame for this process?

The time frame for setting up federation depends on each case, which varies depending on several factors, such as:
  • The readiness of your organization
  • The responsiveness of your team's delivery of information (metadata and other information required for proper setup) to the Trimble Federation team
  • The current workload of the Trimble Federation team

What federated identity providers (IdP) are currently supported?

Trimble ID supports Open ID Connect (OIDC) and SAML protocols. These are standard protocols supported by most IdPs, such as Microsoft Entra ID, Microsoft AD FS, Google, and Okta.

The main difference between these protocols is SAML uses XML-based federation, whereas OIDC uses JSON.

In addition, pre-configuration of the entities is required in SAML, which allows for robust configuration, whereas OIDC works only with compatible identity providers.
Note: Other IdPs that support OAuth 2.0 may also be configurable. However, this often requires additional IdP configuration by your team. Selecting this option usually increases the turnaround time for a Trimble ID federation setup.

What resources are available with respect to Trimble ID Federations?

Go first to the Trimble Help Center (help.trimble.com) to find information about Trimble ID federations.

Once you've engaged with the Trimble ID Federations team, use the email address they provide for ongoing communication.

Can users that are set up with federation change their MFA settings?

This is determined by the IdP setup.

Where should user go for support if they have trouble logging in via a federated identity provider?

Direct your questions on login issues to your organization's IdP administrator.

What is the Reply URL/redirect URI to use for configuring the external federated system for OIDC federation?

Trimble does not have a common redirect endpoint.

Once the Trimble ID Federation team completes your organization's federation configuration, our Support team provides a unique redirect endpoint. This endpoint will need to be configured on your end.

How can the application identify if the user has logged in with their native Trimble ID account or as a Federated user?

Both the Identity access and ID tokens contain an AMR claim, which indicates if the user signed in with a federated source.

Additionally, the ID token contains a 'federation_origin' claim, which means a federated source was used. The client applications can refer to the above claims in token to determine the source of login.

Is there a way to remove all accounts provisioned by a federation? Do we have to delete the linked accounts?

If you want to remove the federation from your account, choose which approach you want Trimble to take.
  • Delete all accounts in a given federated domain
  • Convert all accounts to native Trimble accounts. In this case, each users will need to set up a password via the normal Identity login flow.

When using SAML I get this message: "Error! Error occurred in SAML Identity call due to: Request signing certificate not found."

The Trimble ID SAML implementation currently requires the metadata provided to include a signing certificate.

Your service provider should have a configuration setting called "Enable signed request." Enable this configuration setting.

From there, download the metadata for the Service Provider (SP) again. The new metadata will include the required certificate and you can try again.

Why can't a company administrator choose the data residency settings for all Trimble Identity users within the company? We don’t want individual users to be able to choose this for themselves.

A user's data residency settings are determined by whoever controls the user's data, which is based on whether the user is federated or not.
  • If not federated, the user controls the data. This user could belong to multiple accounts/companies, which may require or have conflicting needs for data settings, so the user has the ability to set their region as needed.
  • If the user is federated, the Identity Provider (IdP) of the user controls the data. With federation, the company decides which region they want their users to be associated with.
    Note: A company's federation can be associated with only one region.