Common user directory settings
Here you find common settings for all user directories.
Display options
At the top of the user directory editor there will be display options for the user directory. The current options include:
-
Enabled, this will enable/disable the user directory, if the user directory is disabled it cannot be used to login. If the user directory is enabled the Enabled text will be green.
-
Directory display name, this will change the display name of the user directory. This will be the name that will be found when selecting user directories.
-
Directory alias, this value is used by external apps, when they want to direct sign-in to a particular named user directory. These values are unique on a particular Trivore ID instance. When this value is defined, full URN value to reference this directory will be shown. Use OpenID Connect
acr_values
query parameter and this URN value to automatically redirect user to this user directory sign-in. -
Directory icon, is a small icon that will be usually shown next to the user directory display name. Custom directory icons can be uploaded. The max file size is 2 Megabytes.
Login translations
If you want to customise login button/select translations that are visible to user when selecting or signing in via this directory, you can do that in Login translations tab.
Directory login captions can be added for every language / locale you need, just press Add button and select appropriate language and country. In most cases, it is useful to only select translation language and leave country unselected unless you really need different translations for, for example, British and American English.
Directory login descriptions are currently not used but maybe used in future to provide additional details about this directory.
User information
Most of the following user attribute mappings are available in every supported user directory. Ignore any mappings not available in the directory type you are configuring. Default values differ between directory types.
Name of the field describes the attribute name in Trivore ID where the
imported value will be stored. Value of the field should be attribute
name in the external user directory. For example, Link ID is most
commonly sub
for OpenID Connect based directories (except Azure AD
where one should use id
instead).
Attribute mappings can take multiple values in order of preference, separated by comma.
Each user attribute mapping field will have sensible default value if it possible to import it from a given directory.
Field | Description | Default field value | Example attribute value |
---|---|---|---|
Allow creating new users | Allow or deny creating new users. If you want to allow every user from directory to sign in to TrivoreID, you need to check this. If not checked, only existing users can link their accounts with external directory accounts | False (not checked) | N/A |
Link ID *required | Permanent, non-secretive user identifier from external directory that is used to identify the user. Value should be attribute name whose value never changes for the user, such as | Depends on directory |
|
Encrypt link ID using salted hash algorithm | Will encrypt the Link ID described above. This is needed if the Link ID values contain sensitive information such as social security number. | False (Not checked) | N/A |
How to handle conflicts with soft deleted users | Action to be performed upon detecting conflicts with soft deleted users. This situation can either cause conflict and deny sign-in or it can reactivate the existing account and replace it new user information. | Existing soft deleted user causes conflict. Sign in is not possible | N/A |
Username import policy | How to handle usernames in Trivore ID. This option exists in order to guarantee username uniqueness within a namespace, which is a technical requirement. You can choose to import usernames from an external directory but the preferred method is to generate them automatically using default settings. | Automatic namespace username policy (actual value depends on the configured policy in namespace settings) | N/A |
Username | Attribute from external directory that provides user’s username. Only available when using manual attribute selection policy for username. | Depends on directory | |
Username prefix | Add username prefix with this literal value. This option is only shown if the “Manual attribute selection with prefix” username import policy is chosen. | None | N/A |
Username suffix | Add username suffix with this literal value. This option is only shown if the “Manual attribute selection with suffix” username import policy is chosen. | None | N/A |
Update username if it does match given settings | Update user’s username on every successful login if it does not match given settings. Username update is only done when signing in via user’s primary directory. | False (not checked) | N/A |
Friendly name | Friendly name for user’s external directory account that helps s/he identify it. Only useful if users are given access to manage their account links (add, edit, remove links). This value is shown in the dashboard panel on Account column (and in manage directory links window). | Depends on directory |
|
First name | Attribute from external directory that provides user’s first name. This is imported only from primary directory. | Depends on directory |
|
Last name | Attribute from external directory that provides user’s last name. This is imported only from primary directory. | Depends on directory |
|
Full name | Attribute from external directory that provides user’s full name, including both first and last name and possible middle names. This is only useful if separate attributes for first and last name are not available. This is imported only from primary directory. | Depends on directory |
|
Attribute from external directory that provides user’s email. | Depends on directory | ||
Email verified | Attribute from external directory that provides user’s email verification information. Boolean attribute. | Depends on directory |
|
Mobile | Attribute from external directory that provides user’s mobile number. | Depends on directory |
|
Mobile verified | Attribute from external directory that provides user’s mobile number verification information. Boolean attribute. | Depends on directory |
|
Locale / language | Attribute from external directory that provides user’s language or localisation information. | Depends on directory |
|
Photo URL | Attribute from external that provides user’s photo URL. Actual implementation varies between different directory types. | Depends on directory |
Group information
This section describes how groups can be imported.
Note that Group parser mode is available only on OpenID Connect and other JSON data model based directories. SAML based directories do not support complex data structures and therefore only flat listing of group names is supported.
Field | Description | Default value |
---|---|---|
Enable groups | Enable or disable group import from user directory. | False (not checked) |
Group parser mode | Groups can be either parsed from simple array of names (as strings) or array of JSON objects which may contain attributes for id, name and description. | Import groups from simple array of names |
Group attribute | Name of the attribute to import groups from. | None |
Group name import policy | Group names can be imported as is or additional literal prefix or suffix can be added. | Import group names as is. |
Group conflict resolution | Determines how conflict with existing groups in Trivore ID are handled. See explanation below. | Hybrid solution. Add membership but do not change ownership. |
Example for Groups as array of names:
{
"groups": ["first group", "second group"]
}
Example for Groups as array of objects:
{
"groups": [
{"id": "1234", "name": "group 1", "description": "descr 1"},
{"id": "5678", "name": "group 2", "description": "descr 2"}
]
}
Group conflict resolution works as described:
-
Override policy, Add membership and make this directory owner of the group: Group membership is added to the group even if the group is not owned by this directory (ie. it was not created because sign-in from this user directory). Group may have been manually created or imported from another directory. Choosing this option, policy will always make this user directory the owner of the group. This policy is reasonable choice when there won’t be conflicts with user directories and conflicts only happen with manually created groups. This policy ensures that membership is correctly removed in Trivore ID when membership is removed in external user directory.
-
Ignore any conflicting groups (do not add membership): Membership will not be added to pre-existing groups that have not been created by this user directory.
-
Hybrid solution. Add membership but do not change ownership: Membership will always be added even to pre-existing groups that are not owned by this user directory but ownership of the group won’t be changed. This has the downside that membership in Trivore ID to conflicting groups is not removed when the membership is removed in external user directory.
Attribute mapper
Attribute mapper supports dot-separated syntax for JSON data structures. For example, given the following json
"onPremisesExtensionAttributes": {
"extensionAttribute1": "value1",
"extensionAttribute2": "value2"
...
"extensionAttribute15": "value15"
}
extensionAttributes can be referenced like
“onPremisesExtensionAttributes.extensionAttribute1
“ and
“onPremisesExtensionAttributes.extensionAttribute2
.