User Auto-Provisioning question

Has anyone tried using the user auto-update and auto-provisioning features in the SSO integration?  There's not a lot of documentation
on how this feature is supposed to be configured or how it works.

thanks

Machine Data Systems, Opentext business and technology alliance partner

Follow Us on LinkedIN for the latest news, live webinars and more

Tags:

  • 0  

    Some customers have already enabled this function. You can read the online guide by Configure identity provider

    Please note that both IdP side and ALM side need configure the user attribute mappings so that the user attributes on IdP can be synced to ALM side via the user auto-provisioning. 

  • 0 in reply to   

    Thanks Bin, I have reviewed the documentation on how to configure the IdP.

    I could not find an explanation of how this feature works once the IdP is configured.  What triggers the process of user creation in ALM?  Is ALM site administration polling the IdP for updates or new records, or is there some other mechanism.

    thanks

    Machine Data Systems, Opentext business and technology alliance partner

    Follow Us on LinkedIN for the latest news, live webinars and more

  • Verified Answer

    +1   in reply to 

    The described scenarios are part of the user auto-provisioning functionality within ALM (Application Lifecycle Management) when integrated with an Identity Provider (IdP) via SAML or OIDC authentication. This feature allows for the automatic creation or update of ALM user accounts based on the user attributes provided by the IdP.

    Here’s a breakdown of how the process works based on the scenarios you provided:

    1. Auto-Provisioning Configuration

    The configuration of user auto-provisioning in ALM typically involves mapping IdP attributes to ALM user attributes. The relevant settings you mentioned, such as:

    • User Info Auto Update
    • User Auto Generation

    These configurations ensure that when a user logs in via an IdP, their information is either updated or a new user is created based on the attributes from the IdP.

    2. User Login Flow (With idpid query parameter)

    When a user accesses ALM using a URL like xxxxx/qcbin/?idpid=alm, the following steps occur:

    • The query parameter idpid=alm tells ALM to perform authentication with the specific IdP associated with alm.

    • Redirect to IdP: The browser is redirected to the IdP authentication page, where the user authenticates (typically with their username and password or multi-factor authentication, depending on IdP settings).

    • IdP Authentication and Token Issuance: Upon successful authentication, the IdP sends a SAML assertion or OIDC token back to ALM, which includes user attributes (e.g., IdentityKey).

    • User Identity Validation in ALM: ALM checks the IdentityKey received in the SAML assertion or OIDC token against the IdentityKey stored in ALM. This is the key attribute that ties the IdP user to the ALM user.

    3. Scenario Breakdown

    Case 1: User Found in ALM (Update User Attributes)

    • If ALM finds a user with the same IdentityKey (from the IdP) already existing in its system, it compares the IdP attributes with the ALM user attributes.

    • Update User Attributes: If there are any differences between the attributes from the IdP and the ALM user record, ALM updates the user's details (e.g., name, email, group membership) in ALM according to the IdP attributes.

    Case 2: User Not Found in ALM (Create New User)

    • If ALM does not find any user with the matching IdentityKey, it creates a new user.

    • New User Creation: ALM will create the user, setting the username and other attributes based on the information provided by the IdP (e.g., username, email, groups).

    • Mapping the IdentityKey: The IdentityKey from the IdP is saved as part of the new user’s profile in ALM, so subsequent logins will link the user to this account.

    4. Important Considerations

    • IdentityKey Attribute Mapping: This is the central point for user identification. Ensure that the IdentityKey (which is typically a unique identifier such as a username, email, or GUID) from the IdP is correctly mapped to ALM’s IdentityKey user attribute.

    • Attribute Synchronization: Since the User Info Auto Update setting is enabled, ALM will continuously compare and update attributes such as name, email, or group membership based on the IdP’s SAML or OIDC response.

    • User Creation: With User Auto Generation enabled, users who do not exist in ALM are automatically created based on the information in the IdP response. This is crucial to ensure a seamless user provisioning process.

    • Manual Review: In some cases, you might want to configure manual review steps for the automatic user creation or updates to ensure compliance with organizational policies (this might be configured separately, depending on your IdP or ALM version).

      For detailed configuration steps, it’s crucial to refer to the ALM user manual or online guide for configuring user auto-provisioning, IdP SSO, and attribute mapping for your specific IdP (SAML, OIDC) and ALM version.
  • 0 in reply to   

    Thanks Bin, that's exactly the information I was looking for.  I've looked throughout the online help but don't recall seeing this information. 

    In the case that a new user has been added to the IdP, and then the user attempts to log in for the first time. ALM will look up their record in the IdP and create the user in Site Admin, allowing them to log into ALM. 

    The user will successfully log into ALM, however, they still won't have access to any projects in ALM, so they will still need to wait for an ALM admin to receive the new user notification, then to notify the project lead to add the user to a project.

    Is my understanding correct?

    Milan

    Machine Data Systems, Opentext business and technology alliance partner

    Follow Us on LinkedIN for the latest news, live webinars and more

  • 0   in reply to 

    Yes the new ALM user created from user auto-provisioning has no permission to connect any project till admin assigns a project group to him/her. This is because ALM can't get any project information from IdP to assign the user to corresponding projects.