Here you find common settings for all user directories.
...
Enabled, this will enable/disable the user directory, if the user directory is disabled it cannot be used to login. If the user directory is enabled the Enabled text will be green.
Directory display name, this will change the display name of the user directory. This will be the name that will be found when selecting user directories.
Directory alias, this value is used by external apps, when they want to direct sign-in to a particular named user directory. These values are unique on a particular Trivore ID instance. When this value is defined, full URN value to reference this directory will be shown. Use OpenID Connect
acr_valuesquery parameter and this URN value to automatically redirect user to this user directory sign-in.Directory icon, is a small icon that will be usually shown next to the user directory display name. Custom directory icons can be uploaded. The max file size is 2 Megabytes.
...
Field | Description | Default value | Example |
|---|---|---|---|
Allow creating new users | Allow or deny creating new users. If you want to allow every user from directory to sign in to TrivoreID, you need to check this. If not checked, only existing users can link their accounts with external directory accounts | False (not checked) | N/A |
Link ID *required | Permanent, non-secretive user identifier from external directory that is used to identify the user. Value should be attribute name whose value never changes for the user, such as | Depends on directory |
|
Encrypt link ID using salted hash algorithm | Will encrypt the Link ID described above. This is needed if the Link ID values contain sensitive information such as social security numbers. | False (Not checked) | N/A |
How to handle conflicts with soft deleted users | Action to be performed upon detecting conflicts with soft deleted users. This situation can either cause conflict and deny sign-in or it can reactivate the existing account and replace it new user information. | Existing soft deleted user causes conflict. Sign in is not possible | N/A |
Username import policy | How to handle usernames in Trivore ID. This option exists in order to guarantee username uniqueness within a namespace, which is a technical requirement. You can choose to import usernames from an external directory but the preferred method is to generate them automatically using default settings. | Automatic namespace username policy (actual value depends on the configured policy in namespace settings) | N/A |
Username | Attribute from external directory that provides user’s username. Only available when using manual attribute selection policy for username. | Depends on directory |
|
Username prefix | Add username prefix with this literal value. This option is only shown if the “Manual attribute selection with prefix” username import policy is chosen. |
| N/A |
Username suffix | Add username suffix with this literal value. This option is only shown if the “Manual attribute selection with suffix” username import policy is chosen. |
| N/A |
Update username if it does match given settings | Update user’s username on every successful login if it does not match given settings. Username update is only done when signing in via user’s primary directory. | False (not checked) | N/A |
Friendly name | Friendly name for user’s external directory account that helps s/he identify it. Only useful if users are given access to manage their account links (add, edit, remove links). This value is shown in the dashboard panel on Account column (and in manage directory links window). | Depends on directory |
|
First name | Attribute from external directory that provides user’s first name. This is imported only from primary directory. | Depends on directory |
|
Last name | Attribute from external directory that provides user’s last name. This is imported only from primary directory. | Depends on directory |
|
Full name | Attribute from external directory that provides user’s full name, including both first and last name and possible middle names. This is only useful if separate attributes for first and last name are not available. This is imported only from primary directory. | Depends on directory |
|
Attribute from external directory that provides user’s email. | Depends on directory |
| |
Email verified | Attribute from external directory that provides user’s email verification information. Boolean attribute. | Depends on directory |
|
Mobile | Attribute from external directory that provides user’s mobile number. | Depends on directory |
|
Mobile verified | Attribute from external directory that provides user’s mobile number verification information. Boolean attribute. | Depends on directory |
|
Locale / language | Attribute from external directory that provides user’s language or localisation information. | Depends on directory |
|
Photo URL | Attribute from external that provides user’s photo URL. Actual implementation varies between different directory types. | Depends on directory |
|
Group information
This section describes how groups can be imported.
...
Note that Group parser mode is available only on OpenID Connect and other JSON data model based directories. SAML based directories do not support complex data structures and therefore only flat listing of group names is supported.
Field | Description | Default value |
|---|---|---|
Enable groups | Enable or disable group import from user directory. | False (not checked) |
Group parser mode | Groups can be either parsed from simple array of names (as strings) or array of JSON objects which may contain attributes for id, name and description. | Import groups from simple array of names |
Group attribute | Name of the attribute to import groups from. | None |
Group name import policy | Group names can be imported as-is or additional literal prefix or suffix can be added. | Import group names as is. |
Group conflict resolution | Determines how conflict with existing groups in Trivore ID are handled. See explanation below. | Hybrid solution. Add membership but do not change ownership. |
Example for Groups as array of names:
| Code Block | ||
|---|---|---|
| ||
{
"groups": ["first group", "second group"]
} |
Example for Groups as array of objects:
| Code Block | ||
|---|---|---|
| ||
{
"groups": [
{"id": "1234", "name": "group 1", "description": "descr 1"},
{"id": "5678", "name": "group 2", "description": "descr 2"}
]
} |
Group conflict resolution works as described:
Override policy, Add membership and make this directory owner of the group: Group membership is added to the group even if the group is not owned by this directory (ie. it was not created because sign-in from this user directory). Group may have been manually created or imported from another directory. Choosing this option, policy will always make this user directory the owner of the group. This policy is reasonable choice when there won’t be conflicts with user directories and conflicts only happen with manually created groups. This policy ensures that membership is correctly removed in Trivore ID when membership is removed in external user directory.
Ignore any conflicting groups (do not add membership): Membership will not be added to pre-existing groups that have not been created by this user directory.
Hybrid solution. Add membership but do not change ownership: Membership will always be added even to pre-existing groups that are not owned by this user directory but ownership of the group won’t be changed. This has the downside that membership in Trivore ID to conflicting groups is not removed when the membership is removed in external user directory.
Attribute mapper
Attribute mapper supports dot-separated syntax for JSON data structures. For example, given the following json
...