Skip to main content

Common user directory settings

Here you find common settings for all user directories.

Display options

Image

At the top of the user directory editor there will be display options for the user directory. The current options include:

  • Enabled, this will enable/disable the user directory, if the user directory is disabled it cannot be used to login. If the user directory is enabled the Enabled text will be green.

  • Directory display name, this will change the display name of the user directory. This will be the name that will be found when selecting user directories.

  • Directory alias, this value is used by external apps, when they want to direct sign-in to a particular named user directory. These values are unique on a particular Trivore ID instance. When this value is defined, full URN value to reference this directory will be shown. Use OpenID Connect acr_values query parameter and this URN value to automatically redirect user to this user directory sign-in.

  • Directory icon, is a small icon that will be usually shown next to the user directory display name. Custom directory icons can be uploaded. The max file size is 2 Megabytes.

Login translations

If you want to customise login button/select translations that are visible to user when selecting or signing in via this directory, you can do that in Login translations tab.

Image

Directory login captions can be added for every language / locale you need, just press Add button and select appropriate language and country. In most cases, it is useful to only select translation language and leave country unselected unless you really need different translations for, for example, British and American English.

Directory login descriptions are currently not used but maybe used in future to provide additional details about this directory.

User information

Most of the following user attribute mappings are available in every supported user directory. Ignore any mappings not available in the directory type you are configuring. Default values differ between directory types.

Name of the field describes the attribute name in Trivore ID where the imported value will be stored. Value of the field should be attribute name in the external user directory. For example, Link ID is most commonly sub for OpenID Connect based directories (except Azure AD where one should use id instead).

Attribute mappings can take multiple values in order of preference, separated by comma.

Each user attribute mapping field will have sensible default value if it possible to import it from a given directory.

Field

Description

Default field value

Example attribute value

Allow creating new users

Allow or deny creating new users. If you want to allow every user from directory to sign in to TrivoreID, you need to check this. If not checked, only existing users can link their accounts with external directory accounts

False (not checked)

N/A

Link ID

*required

Permanent, non-secretive user identifier from external directory that is used to identify the user. Value should be attribute name whose value never changes for the user, such as sub or id. If the value changes, new user account would be created because the system would be unable to detect correct linking.

Depends on directory

“5f84b3104cb0aa70df369e26”

Encrypt link ID using salted hash algorithm

Will encrypt the Link ID described above. This is needed if the Link ID values contain sensitive information such as social security number.

False (Not checked)

N/A

How to handle conflicts with soft deleted users

Action to be performed upon detecting conflicts with soft deleted users. This situation can either cause conflict and deny sign-in or it can reactivate the existing account and replace it new user information.

Existing soft deleted user causes conflict. Sign in is not possible

N/A

Username import policy

How to handle usernames in Trivore ID. This option exists in order to guarantee username uniqueness within a namespace, which is a technical requirement. You can choose to import usernames from an external directory but the preferred method is to generate them automatically using default settings.

Automatic namespace username policy (actual value depends on the configured policy in namespace settings)

N/A

Username

Attribute from external directory that provides user’s username. Only available when using manual attribute selection policy for username.

Depends on directory

[email protected]

Username prefix

Add username prefix with this literal value. This option is only shown if the “Manual attribute selection with prefix” username import policy is chosen.

None

N/A

Username suffix

Add username suffix with this literal value. This option is only shown if the “Manual attribute selection with suffix” username import policy is chosen.

None

N/A

Update username if it does match given settings

Update user’s username on every successful login if it does not match given settings. Username update is only done when signing in via user’s primary directory.

False (not checked)

N/A

Friendly name

Friendly name for user’s external directory account that helps s/he identify it. Only useful if users are given access to manage their account links (add, edit, remove links). This value is shown in the dashboard panel on Account column (and in manage directory links window).

Depends on directory

“John Doe”

First name

Attribute from external directory that provides user’s first name. This is imported only from primary directory.

Depends on directory

“John“

Last name

Attribute from external directory that provides user’s last name. This is imported only from primary directory.

Depends on directory

“Doe“

Full name

Attribute from external directory that provides user’s full name, including both first and last name and possible middle names. This is only useful if separate attributes for first and last name are not available. This is imported only from primary directory.

Depends on directory

“John Doe“

Email

Attribute from external directory that provides user’s email.

Depends on directory

[email protected]

Email verified

Attribute from external directory that provides user’s email verification information. Boolean attribute.

Depends on directory

true

Mobile

Attribute from external directory that provides user’s mobile number.

Depends on directory

+358401234567

Mobile verified

Attribute from external directory that provides user’s mobile number verification information. Boolean attribute.

Depends on directory

false

Locale / language

Attribute from external directory that provides user’s language or localisation information.

Depends on directory

“en_US” or "en"

Photo URL

Attribute from external that provides user’s photo URL. Actual implementation varies between different directory types.

Depends on directory

https://graph.example.com/<userid>”

Group information

This section describes how groups can be imported.

Image

Note that Group parser mode is available only on OpenID Connect and other JSON data model based directories. SAML based directories do not support complex data structures and therefore only flat listing of group names is supported.

FieldDescriptionDefault value
Enable groupsEnable or disable group import from user directory.False (not checked)
Group parser modeGroups can be either parsed from simple array of names (as strings) or array of JSON objects which may contain attributes for id, name and description.Import groups from simple array of names
Group attributeName of the attribute to import groups from.None
Group name import policyGroup names can be imported as is or additional literal prefix or suffix can be added.Import group names as is.
Group conflict resolutionDetermines how conflict with existing groups in Trivore ID are handled. See explanation below.Hybrid solution. Add membership but do not change ownership.

Example for Groups as array of names:

{
"groups": ["first group", "second group"]
}

Example for Groups as array of objects:

{
"groups": [
{"id": "1234", "name": "group 1", "description": "descr 1"},
{"id": "5678", "name": "group 2", "description": "descr 2"}
]
}

Group conflict resolution works as described:

  • Override policy, Add membership and make this directory owner of the group: Group membership is added to the group even if the group is not owned by this directory (ie. it was not created because sign-in from this user directory). Group may have been manually created or imported from another directory. Choosing this option, policy will always make this user directory the owner of the group. This policy is reasonable choice when there won’t be conflicts with user directories and conflicts only happen with manually created groups. This policy ensures that membership is correctly removed in Trivore ID when membership is removed in external user directory.

  • Ignore any conflicting groups (do not add membership): Membership will not be added to pre-existing groups that have not been created by this user directory.

  • Hybrid solution. Add membership but do not change ownership: Membership will always be added even to pre-existing groups that are not owned by this user directory but ownership of the group won’t be changed. This has the downside that membership in Trivore ID to conflicting groups is not removed when the membership is removed in external user directory.

Attribute mapper

Attribute mapper supports dot-separated syntax for JSON data structures. For example, given the following json

"onPremisesExtensionAttributes": {
"extensionAttribute1": "value1",
"extensionAttribute2": "value2"
...
"extensionAttribute15": "value15"
}

extensionAttributes can be referenced like “onPremisesExtensionAttributes.extensionAttribute1“ and “onPremisesExtensionAttributes.extensionAttribute2.