Configure identity management

Identity management defines the various means by which users authenticate and receive their authorization to access Semarchy xDM features and applications.

Configure identity management

Identity management configuration includes:

Identity management is a platform-level administrative task performed in the Configuration module.

To access the identity management editor, from the navigation drawer of the Configuration module, select Identity Management.
The Identity Management editor opens.

The Identity Management editor is saved as a whole, so any change performed in this editor is considered a change in identity management.

Configure identity providers

In the Identity Management editor, the Identity Providers tab displays two lists of IDPs:

  • The single sign-on (SSO) IDPs. These IDPs do not require the users to enter their credentials in a login form handled in Semarchy xDM. Users are redirected to the external IDP login experience.

  • The login form IDPs. These IDPs require the user to enter their login and password in a login form handled by Semarchy xDM.

In each list, identity providers can be enabled or disabled, deleted, and ordered. The order of the enabled IDPs defines the login experience:

  • Single sign-on IDPs appear as buttons on the login page in their list order, each redirecting to the SSO provider login experience. If only one SSO IDP and no Login form IDP is enabled, then the user is directly redirected to the enabled SSO IDP without seeing the Semarchy login page.

  • If at least one login form IDP is enabled, then the login form appears on the login page. If multiple login form IDPs are enabled, the login information entered by the user in the form is sent to each IDP in the list order until one IDP authenticates the user successfully.

When configuring identity management, carefully review and test the enabled IDPs. Make sure to also test the various authentication flows and conditions.

Add an IDP

To add an identity provider:

  1. In the Identity Management editor, select the Identity Providers tab.

  2. Click the Add Provider floating action button in the lower-right corner of the screen.

  3. In the New identity provider dialog, select a Provider Type, give a Name to the new IDP, and then click Create.
    The new Identity Provider editor opens.

  4. In this editor, enter the Configuration Properties for your IDP type. The properties required depend on the type of IDP:

  5. Test the identity provider.

Configure roles

When a user authenticates with an external IDP, the IDP returns a list of roles assigned to the user in the IDP. These roles represent how users are organized in the IDP. They may represent teams, departments, user groups, and sometimes actual roles. They may not be fit for Semarchy xDM as they are.

To make the roles fit for usage, you can configure for each IDP:

  • Default roles, which are granted upon login to all users authenticated using the IDP.

  • Role mappings, to transform IDP roles into Semarchy roles.

To configure an identity provider’s roles:

  1. In the Identity Management editor, select the Identity Providers tab.

  2. Click the identity provider you want to configure, and then select the Roles tab.

  3. Optionally select one or more Default Roles. Note that you can only select roles already defined in the platform.

    The default roles provide the baseline privileges to all users authenticated with the IDP. For example, to allow all users from your Google domain to access the Semarchy platform, select the semarchyConnect default role for that IDP.
  4. Configure the role mappings:

    1. In the Role Mappings table, click the Add Role Mapping button to add a new role mapping. A new line appears in the Role Mappings table.

    2. In the Provider Role cell, enter the role or group returned by the IDP.

    3. In the Mapped Role cell, select one or more platform roles you want to assign to the user having the provider role in the IDP.

      You can optionally select the Use regular expressions checkbox to convert provider role patterns into mapped roles using regular expressions.
  5. Select the Keep provider roles switch to keep the role or groups returned by the IDP after the role mapping. If you deselect this switch, only the default roles and mapped roles remain for the user after the role mapping.

  6. Test the IDP.

Role mapping with regular expressions

In the Role Mappings table, select the Use regular expressions if you want to detect a pattern in the provider role and convert it to a mapped role using regular expressions.

The following role mapping example illustrates how to use this capability.

Role mapping with regular expressions

Users in the IDP are categorized into either the SUPP_US, SUPP_EMEA, or another group. This group should be translated into the semarchyConnect and Support roles, along with the respective US, EMEA, or other regional roles.

Provider role

Mapped role

Description

SUPP_.*

semarchyConnect, Support

If an IDP role starts with SUPP_, then the Support and semarchyConnect roles are mapped.

SUPP_(.*)

$1

If an IDP role starts with SUPP_, then the rest of the role string is captured and returned as a mapped role (e.g., SUPP_EMEA would be mapped to EMEA).

Role names and labels

The roles are referenced in the configuration by their role name (e.g., BusinessUser or DataSteward). The configuration user interface displays roles found in the Semarchy xDM roles with their corresponding label (e.g., Business User, Data Steward).

  • When you select a default role or configure a role mapping without regular expressions, this Semarchy xDM role appears with its role label (e.g., Business User). A role used in the configuration with no corresponding Semarchy xDM roles appears with the role name (e.g., BusinessUser) as defined in the configuration, since it was not found in the list of Semarchy xDM roles.

  • When using regular expressions, the mapped role value is a comma-separated list of role names (e.g., BusinessUser).

Configure profile synchronization

Profile synchronization brings information from the IDP into the user profile and defines the properties available to the user in their profile.

To configure an identity provider’s roles:

  1. In the Identity Management editor, select the Profile tab.
    The tab lists all the properties of the user profile.

  2. Define how each property is managed:

    • Synchronize defines how the property should be synchronized from the IDP:

      • Each Login: synchronizes the property from the IDP at each user login. The property cannot be modified by the user.

      • First Login: synchronizes the property from the IDP the first time the user logs in. The property may be modified by the user afterward depending on the user access configuration.

      • Never: does not synchronize the property from the IDP. The property may have a default value, and be modified by the user afterward depending on the user access configuration.

    • Synchronize From defines the value that should be synchronized from the IDP. The syntax and value in this field depend on the IDP type. For example, for OpenID Connect, the value is a claim. For LDAP, it is an attribute of the user object. For more details on how to configure each IDP, see:

    • Default Value defines the default value of the profile property. For the synchronized property, the default value is used if the IDP does not return a valid value. For a property that is never synchronized, the default value is seeded in the user profile.

    • User Access defines how the property appears in the user profile:

      • Hidden: hides the property from the user profile. The user cannot edit it.

      • Read: displays the property in the user profile as a read-only field.

      • Read/Write: displays the property in the user profile as an editable field. Note that if a property is set to synchronize at each login, it cannot use that user access configuration.

  3. Test the IDP to review the property values for a test user.

Configure the login button

SSO identity providers appear on the login page with a button to redirect to the SSO login experience. The Button tab allows you to configure the appearance of this button, including the Button Label, Button Color, and Button Image (from the image library).

Test the IDP

It is recommended to test the IDP at each stage of its configuration:

  • After configuring the connection and authentication in the Configuration tab.

  • After configuring the role mappings in the Roles tab.

  • After configuring the profile synchronization in the Profile tab.

The date and outcome of the most recent connection test appear both in the identity provider list and within each IDP’s Configuration tab. Additionally, the color of the Test Test icon indicates whether the IDP has not been tested (gray), was successfully tested (green), or unsuccessfully tested (red) since the last modification.

To test an identity provider:

  1. In the Identity Management editor toolbar, click the Test Test button.
    The Identity Provider Test side sheet opens.

  2. Click the Start Test button on the side sheet.

  3. In a new incognito browser window, open the Log In link that appears in the side sheet.

    Starting the test in a new incognito window guarantees that your test session does not reuse the connection with which you configure identity management.

  4. Log in to Semarchy xDM in this incognito window, using the identity provider that you want to test.

  5. In the Identity Provider Test side sheet, review the result and the log of the test.

The IDP test mode tracks all incoming logins on the IDP for 180 seconds and is automatically disabled. You can disable the test mode by clicking the Stop Test button. Leaving the IDP editor automatically disables the test mode.

Configure role lookup

Role lookup automatically adds roles to users connecting with any of the identity providers (including the internal IDP). These roles are retrieved from a table containing a list of records, each record containing a user name and a role name assigned to this user, as shown in the example below:

Role lookup table example: CUSTOM_ROLES
USER GRANTED_ROLE

john.doe

semarchyConnect

john.doe

dataSteward

jane.smith

semarchyConnect

jane.smith

dataAdmin

jane.smith

semarchyAdmin

To configure role lookup:

  1. In the Identity Management editor, select the Roles Lookup tab.

  2. Select the Enable roles lookup from a database switch.

  3. In the Role Lookup Datasource section, configure the connectivity to the database containing the roles lookup table:

    • Database Type: Selected the technology of the database.

    • URL: enter the JDBC URL to connect the database.

    • Username: enter the user name to authenticate to the database. This user should have read access to the roles lookup table.

    • Password: this user’s password.

    • You may optionally provide advanced datasource configuration in the Advanced Datasource Configuration section.

  4. Enter the name of the Role lookup table (e.g., CUSTOM_ROLES). Note that you also use a view defined in the database the same way you would use a table.

  5. Enter the name of the Username column and Role name column (e.g., USER and GRANTED_ROLE).

  6. Click the Test button to test the configuration. The test returns the top 10 records of the lookup table. Review these results.

  7. Save your configuration.

Configure the login page

The layout of the login page depends on the identity provider configuration enabled for a given node.

Within the Identity Management editor’s Login Page tab, you can configure two components of this page:

  • The login page logo, which appears in the header of the login page.
    Under Login Page Logo, click the Select an image Select an image icon to choose a logo from the image library.

  • The login page message, which is displayed at the bottom of the login page, before the login button. If there is no login form, the message appears after all the SSO buttons.
    In the Login Page Message field, enter your custom text. This message supports Markdown syntax.

Configure identity management using the REST API

Endpoints are available on the Semarchy xDM REST API to consult and define the configuration of identity management. For more information, see the REST API documentation.