Component: IdP Sync

Introduction

User management is a feature that often appears in most of applications. It allows to create, edit or delete users in the given identity provider (IdP) such as Safewhere Identity Provider, Azure Active Directory (AAD), OneLogin. The way for creating users in IdP is the same but the user information in each application is different. To close this matter, the IdP sync component provides the mechanism to synchronize users from Casewhere to IdP for any change.

Features

Settings

Settings page provides two data grids. The first one is used to manage the user schema. You can add, edit, delete, import, export user schemas. The second grid is attribute claims of user schema, you can add, edit, and delete attribute claims. If you select one user schema, then all attribute claims of selected user schema will reveal in the attribute claims grid.

Manage user schemas

The user schema is the way to determine which data class in Casewhere is used to store the users and which identity provider we want to use to create the corresponding users.

Add new user schema

To add a new user schema, click on the the Add button to open the Add User Schema dialog

Then, input value for the fields:

• Name: The name of user schema. This field is required and unique.

• Data class name: The data class name in Casewhere where is the place to store users. This field is required and unique.

• Identity provider: The plugin name in Casewhere. This field is required.

  • Example: Identify Plugin

Edit user schema

To edit user schema, you must select a user schema. Then click on the Edit button to open Edit User Schema dialog

In Edit User Schema dialog, you can update the fields:

• Name
• Data class name
• Identity provider

Delete user schema

To delete user schema, select a user schema. Then, click on the Delete button

The confirmation dialog will be shown. If you select Yes button, the user schema will be deleted immediately. If you select No button, the deletion will be cancelled.

• Note: The system will also delete all attribute claims which are linked to user schema.

Import user schemas

To import user schemas, first, click on Import button to open the Import User Schema dialog

• Note: All user schemas that exists in the destination environment will be overridden. (Detected by user schema name)

Then, click on the placeholder of the File upload field to open file selection dialog

Next, select a JSON file to import (multiple selection is not supported). After selecting the file, click on Import button to import schemas from the JSON file. If you do not want to execute the import process, click on Cancel button.

Export user schemas

To export one or several schemas in the list, select one or multiple schemas. Next, click on the Export button. Then, the JSON file of the selected schemas will be downloaded immediately.

To export all schemas in the list, click on Export button. Then, the JSON file of all schemas will be downloaded immediately.

Manage attribute claims

The attribute claim user schema is the way to determine the mapping between a data class attribute in Casewhere and a corresponding claim in IdP.

• Note: The claim definition must exist in the IdP before we set up claim mapping.

Add new attribute claim

To add new attribute claim, click on the Add button

Then, in Add Attribute Claim dialog, fill out the fields:

• Name: You must input name of the attribute claim. This field is required and unique in a user schema.

• User schema: It is a dropdown list with all user schemas. This field is required.

• Attribute name: The list of Attribute name is generated according to the selected user schema's data class. This field is required.

• IdP claim: The claim name in external IdP system. This field is required and unique in a user schema.

• Is encrypted: If this checkbox is ticked, the value will be encrypted before sending it to the Identity provider.

• Is identity bearing claim: There is only one Is identity bearing claim in a user schema. The bearing claim is used to identify the user. Normally, we use email as a bearing claim.

  • The first attribute claim of a user schema must be ticked Is identity bearing claim.
  • If the user add or edit a claim which is ticked Is identity bearing claim, the system will auto override the last bearing claim to a normal claim and the new claim will become identity bearing claim of the selected user schema.

• Is active: This field is the status of attribute claim. The default value is Active.

• Map options: This field only visible when the selected Attribute name in data class is array of enum type. By clicking on + button, the additional fields to fill the information of Map options will be displayed. You can add multiple fields:

  • Attribute value: This field is required. It is a list of the attribute enum options.
  • IdP claim value: This field is required. This field is used to input the IdP claim option in IdP system.

Edit attribute claim

To edit attribute claim, first, click on Edit button to open Edit Attribute Claim dialog

In the Edit Attribute Claim dialog, you can edit:

• Name

• User schema

• Attribute name

• IdP claim

• Is encrypted

• Is identity bearing claim

• Is active

• Map options:

  • Attribute value
  • IdP claim value

After updating the information, click on Save and close button to save the changes. Or you can click on Cancel button to discard the changes.

Delete attribute claim

To delete attribute claim, first, click on the Delete button

Then, a confirmation dialog will be displayed. If you select the Yes button, the config will be deleted immediately. If you select the No button, the deletion will be cancelled.

Synchronize users to IdP

It is the core in the component to synchronize the users in Casewhere to IdP automatically. It will be reused a lot in many applications and avoid duplicating the code to create the users in many applications. It operates based on broadcasting some custom events that are defined in the component in advance. Every time we collect the user information to create or update the user in Casewhere, then you need to raise a corresponding custom event with its data.

Custom events

This component includes 3 custom events:

• CW_CreateUser: This event is raised when the user is created. Its data include:

  • UserId: Be a data object containing the user information in the application.
  • Username: Be a value to identify that user. It’s used to support troubleshooting.

• CW_EditUser: This event is raised when the user is updated. Its data include:

  • UserId: Be a data object that contains the user information in the application.
  • Username: Be a value to identify that user. It’s used to support troubleshooting.
  • IdentifyUserId: Userid which is returned from Identity Provider.

• CW_DeleteUser: This event is raised when the user is deleted. Its data include:

  • UserId: Be a data object that contains the user information in the application.
  • Username: Be a value to identify that user. It’s used to support troubleshooting.
  • IdentifyUserId: Userid which is returned from Identity Provider.

The workflow that handles this event will find the user schema that corresponds to the data class of that object. From that, we know where to create/update/delete the users in IdP.

Monitor IdP sync status

In IdP sync management page, you can view the information of the IdP sync data, they are:

• Status: is the status of event data. There are 3 statuses:

  • Pending: the user data has just been created.
  • OK: the user data has been synced to IdP successfully.
  • Failed: the user data has been synced to IdP failed or the data has errors in the preparation.

• Action: is the type of action events. There are 3 actions:

  • Create: the action raised when the user is created.
  • Edit: the action raised when the user is updated.
  • Delete : the action raised when the user is deleted.

• User id: is the user id of event data.

• Username: is the user name of event data.

• Identify user id: is the user id of IdP system.

• Sync attempt: is the number of resend attempts has been triggered.

• Correlation id: is the id used to identify related log entries.

• Error message: is the error message when the preparation or syncing of the data has failed.

  • Note: The system will auto retry three times if the sync has failed.

Installation

Requirements

• Casewhere 2.7.1 or later.

Configuration

1. Import the product
2. Link the page to your worker sites and configure access control
3. Configure the IdP sync settings

Dependencies

• Plugin: Identify Plugin

Releases

1.0.0 - 24/04/2022

Changelog

• Mapping the user from Casewhere to IdP
• Synchronize users to IdP

Download (login required): IdP Sync v1.0.0

Roadmap

• Activate/deactivate the user
• Sync the possible values of the claims to IdP
• Configure the connection string to IdP