-
Notifications
You must be signed in to change notification settings - Fork 209
Attribute Mapping
When you rely on a third party for authentication (AuthN) and authorization (AuthZ) the groups, roles, etc will often have their own naming scheme, or if using LDAP, have a subtree unique to the company you are at. Because of that, we provide a way to map what your AuthN/AuthZ service sends to what openDCIM Needs.
Sometimes your account information comes back with parts that you don't want to include in the UserID, such as DOMAIN. There is a Remove Account Prefix and a Remove Account Suffix that you can put values into (this is a substring match, not a Regular Expression) for openDCIM to strip out. Most commercial SAML providers can strip this out before sending to you, which would typically be the preferred method to ensure consistency.
Sometimes the fields are passed as standard identifiers, as shown in the picture, and sometimes they are passed as configurable text names.
- FirstName - Required
- Last Name - Required
- Email - Required
- Phone1 - Optional
- Phone2 - Optional
- Phone3 - Optional
If you are using LDAP and your server can't provide access to the required attributes, you should look at using mod_auth for Apache to handle authentication instead of trying to interface directly with the LDAP server from openDCIM, because there would be absolutely no advantage to going direct.
If you are using Saml or OIDC for the authentication provider, it will typically send back an array of groups that the user is a member of, and that array could have any name. Due to that, we have a field for OIDC/SAML Attribute containing Groups.
The rest of the fields are a direct correlation to the rights available to users within openDCIM. SAML and OIDC will typically provide a simple name, but it could also provide a full DN, especially if the information comes from LDAP. LDAP will almost always provide a full DN for the group membership.
When you configure openDCIM to map groups to the users, as described above, those rights passed by the Identity Provider will always overwrite any rights that may have been assigned within the database.