Users and groups in the external LDAP directory
When using an external authentication service, there are two areas that require setup for a synchronization between the two systems to occur:
User profiles in the external directory must have specific attributes set
Group names in the external directory must match User Group names in the IT Analytics Portal for privilege inheritance
Set the following attributes for each user in the external LDAP directory. For each attribute, the properties name and friendlyName must be present and have values populated. These attributes must be exposed by both the external LDAP directory and the IDP server. The names of attributes are as follows:
displayName: <first_name> <last_name> For example Jane Smith
email: email address
mobile: cell phone or mobile number
telephoneNumber: work phone or home phone number
sAMAccountName: the unique user name that is used as a login
memberOf: List of group names to which the user belongs, supporting with or without domain prefixed for Azure IDP. This attribute requires customization for a Microsoft Azure IDP. It is recommended to set Groups Assigned to the application instead of All groups or Security groups for "memberOf" attribute. Click here for more details.
The memberOf attribute must be in the below supported formats:
DOMAIN_NAME\userGroupName
CN=userGroupName,CN=Users,DC=aptareadfs,DC=com (for non-AZURE IDPs)
Before an external user can use SSO to log into the Portal, they must belong to one external directory group that also exists as a User Group in the IT Analytics Portal. If the setup criteria is met, when the user logs into the Portal for the first time, their user profile will be synchronized from the external directory. They will also inherit all privileges assigned to the User Group.