From OpenDCIM Wiki
Jump to: navigation, search
(Created page with "= Attribute Mapping = When you rely on a third party for authentication (AuthN) and authorization (AuthZ) the groups, roles, etc will often have their own naming scheme, or i...")
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 +
''This information is based upon openDCIM version 20.01''
 +
 
= Attribute Mapping =
 
= Attribute Mapping =
  
Line 4: Line 6:
 
naming scheme, or if using LDAP, have a subtree unique to the company you are at.  Because of that, we provide a way to map what your AuthN/AuthZ service
 
naming scheme, or if using LDAP, have a subtree unique to the company you are at.  Because of that, we provide a way to map what your AuthN/AuthZ service
 
sends to what openDCIM Needs.
 
sends to what openDCIM Needs.
 +
 +
[[File:Attr_Mapping_Tab.png|600px|thumb|right|Attribute Mapping Tab]]
 +
 +
=== Authentication Fields ===
 +
 +
Sometimes the fields are passed as standard identifiers, as shown in the picture, and sometimes they are passed as configurable text names.
 +
 +
* '''FirstName''' - Required
 +
* '''Last Name''' - Required
 +
* '''Email''' - Required
 +
* '''Phone1''' - Optional
 +
* '''Phone2''' - Optional
 +
* '''Phone3''' - Optional
 +
 +
If you are using LDAP and your server can't provide access to the required attributes, you should look at using mod_auth for Apache to handle authentication instead of trying to interface directly with the LDAP server from openDCIM, because there would be absolutely no advantage to going direct.
 +
 +
 +
=== Group Mapping ===
 +
 +
If you are using Saml for the authentication provider, it will typically send back an array of groups that the user is a member of, and that array could have any name.  Due to that, we have a
 +
field for '''SAML Attribute containing Groups'''.
 +
 +
The rest of the fields are a direct correlation to the rights available to users within openDCIM.  SAML will typically provide a simply name, but it could also provide a full DN, especially if
 +
the information comes from LDAP.  LDAP will almost always provide a full DN for the group membership.
 +
 +
=== Important Information about User Rights ===
 +
 +
When you configure openDCIM to map groups to the users, as described above, those rights passed by the Identity Provider will always overwrite any rights that may have been assigned within
 +
the database.

Revision as of 23:24, 22 May 2020

This information is based upon openDCIM version 20.01

Attribute Mapping

When you rely on a third party for authentication (AuthN) and authorization (AuthZ) the groups, roles, etc will often have their own naming scheme, or if using LDAP, have a subtree unique to the company you are at. Because of that, we provide a way to map what your AuthN/AuthZ service sends to what openDCIM Needs.

Attribute Mapping Tab

Authentication Fields

Sometimes the fields are passed as standard identifiers, as shown in the picture, and sometimes they are passed as configurable text names.

  • FirstName - Required
  • Last Name - Required
  • Email - Required
  • Phone1 - Optional
  • Phone2 - Optional
  • Phone3 - Optional

If you are using LDAP and your server can't provide access to the required attributes, you should look at using mod_auth for Apache to handle authentication instead of trying to interface directly with the LDAP server from openDCIM, because there would be absolutely no advantage to going direct.


Group Mapping

If you are using Saml for the authentication provider, it will typically send back an array of groups that the user is a member of, and that array could have any name. Due to that, we have a field for SAML Attribute containing Groups.

The rest of the fields are a direct correlation to the rights available to users within openDCIM. SAML will typically provide a simply name, but it could also provide a full DN, especially if the information comes from LDAP. LDAP will almost always provide a full DN for the group membership.

Important Information about User Rights

When you configure openDCIM to map groups to the users, as described above, those rights passed by the Identity Provider will always overwrite any rights that may have been assigned within the database.