Skip to main content

Advanced features

These are some advanced features and configuration capabilities available on Trivore ID for user directories.

Linking multiple user directories to single Trivore ID user account

This use is semi common in enterprises, where a certain person may have user accounts in multiple external directories, such as Azure AD, or Google Workspace. Here we show how those external accounts may be consolidated to a single identity on Trivore ID.

A bonus capability is, single sign-on (SSO) functions flawlessly. Another bonus is, the user account / identity on Trivore ID may at any time be enriched with higher level of assurance (LoA) information with suomi.fi-tunnistus or other means.

End users themselves are able to link their Trivore ID user account with multiple external user directory accounts with the dashboard panel option Link my account with another account.

Image

Only one link can be primary at any given time. Primary links are used to update certain single-value attributes such as first and last name. Primary link can also be unset which means that Trivore ID is the master data for that user account.

End users are able to manage their user directory links in using the dashboard panel shown below.

Image

Creating user accounts on-demand via suomi.fi-tunnistus

In this use case, we will create user accounts to a namespace dynamically when a person signs in to Trivore ID using suomi.fi-tunnistus user directory. The user directory requires a specific configuration for this to function correctly. The following settings are key for this functionality to work:

  1. Select: Link user with directory

  2. Select: Allow creating new users

  3. Link ID value: urn:oid:1.2.246.21

  4. Select: Encrypt Link ID using salted hash algorithm

  5. How to handle conflicts with soft-deleted users: Exsiting soft-deleted user will be activated and replaces with new user information

Automatic redirect to user directory on OpenID sign-in

When user is redirected to Trivore ID OpenID Connect authentication, s/he can be automatically redirected to external user directory authentication using the standard OpenID acr_values query parameter. See example below.

GET /openid/auth?acr_values=urn:trivoreid:oneportal.t5.fi:userdirectory:example-directory

Value of this acr_values query parameter MUST be the full URN of the user directory (which available after you define Alias for the user directory)