Automatic Provisioning of Users
The CDM application can be configured to provision users automatically the first time the user's credentials are validated by the CDM Identity Provider or the CDM Import Sources, hereby called just-in-time provisioning.
Whenever the username or email for a user attempting to authenticate cannot be matched with an existing CDM account, the application attempts to provision one:
- CDM defers the validation of the account to the CDM Identity Provider, if it exists.
- Otherwise, the user credentials are validated against the CDM Authentication Import Sources.
If credentials are validated, CDM provisions an account for the user using the First Name, Last Name, Display Name, and Email Address, obtained from the Identity Provider or Import Source. If multiple AD/LDAP-configured Import Sources exist, the CDM account is associated with the one that first validates the credentials.
The CDM Identity Providers support just-in-time provisioning at the Identity Provider application level or just-in-time provisioning within a single group from the Identity Provider. CDM Import Sources only support just-in-time provisioning with groups.
Just-in-Time Provisioning
When CDM is configured for Just-in-time provisioning, an account is created for any user that has their credentials validated by the external Identity Provider. An account being provisioned using just-in-time provisioning will have no application and report permission assigned. Appropriate application and report permissions must be assigned after that.
Just-in-Time Provisioning with Groups
Identity Provider
When a CDM Identity Provider is configured with just-in-time provisioning with a group, a CDM account is created only for users that have their credentials validated by the external Identity Provider's group.
An imported user that was removed from the group that is configured to control access to the CDM application, or was deactivated, will no longer be able to authenticate into CDM. When the account details for a user are changed in the external Identity Provider, the details are updated into CDM after the first authentication attempt. An account being provisioned using just-in-time provisioning will have no application and report permission assigned. Appropriate application and report permissions must be assigned after that within the CDM application.
Import Source
When a CDM Import Source is configured with just-in-time provisioning with a group, a CDM account is created only for users that have their credentials validated by the Import Source, only if they are also members in the group that is configured to control access to the application.
In the following example, the CDMTeam is a group imported from the CERTENTINC domain and is marked to control access to the CDM application (auto registerable).
Whenever a user authenticates into the CDM application using an account that was created through just-in-time provisioning, their group membership into external groups is recalculated and the application and report permissions set accordingly based on the CDM group.
An imported user that was removed from the group that is configured to control access to the CDM application, or was deactivated, will no longer be able to authenticate into CDM. When the account details for a user are changed in the Import Source, the details are updated into CDM after the first authentication attempt.