When you rely on a third party for authentication (AuthN) and authorization (AuthZ) the groups, roles, etc will often have their own naming scheme, or if using LDAP, have a subtree unique to the company you are at. Because of that, we provide a way to map what your AuthN/AuthZ service sends to what openDCIM Needs.
Sometimes the fields are passed as standard identifiers, as shown in the picture, and sometimes they are passed as configurable text names.
- FirstName - Required
- Last Name - Required
- Email - Required
- Phone1 - Optional
- Phone2 - Optional
- Phone3 - Optional
If you are using LDAP and your server can't provide access to the required attributes, you should look at using mod_auth for Apache to handle authentication instead of trying to interface directly with the LDAP server from openDCIM, because there would be absolutely no advantage to going direct.
If you are using Saml for the authentication provider, it will typically send back an array of groups that the user is a member of, and that array could have any name. Due to that, we have a field for SAML Attribute containing Groups.
The rest of the fields are a direct correlation to the rights available to users within openDCIM. SAML will typically provide a simply name, but it could also provide a full DN, especially if the information comes from LDAP. LDAP will almost always provide a full DN for the group membership.
Important Information about User Rights
When you configure openDCIM to map groups to the users, as described above, those rights passed by the Identity Provider will always overwrite any rights that may have been assigned within the database.