Trusted Provider


Product name - ev sas.png enjoys secure access that requires users to enter a login and password. This authentication can be delegated to a Trusted Provider. In this case:

  • The login page belongs to the Trusted Provider.
  • The user will be retrieved from the Trusted Provider's database using the login/password. If the user exists, access will then be validated using Product name - ev sas.png access management.
  • If the user has access to Product name - ev itsm.png, teams can be synchronized automatically using specific key information. Depending on the configuration of the Trusted Provider, this key information may consist of the user's groups and/or profile and/or information returned using an SQL query (e.g. language).

This process lets the Trusted Provider create users in Product name - ev sas.png so that you do not have to add them manually. If the user does not exist, then any authorized user accessing Product name - ev sas.png for the first time will automatically be created. The user created will then be associated with the teams corresponding to the user's key information, which is managed in the Trusted Provider's configuration. This will enable the user to access apps based on the rights defined.

Operating principle

The following graphic details the operating principle for a Trusted Provider based on Product name - ev itsm.png. The principle is the same for a Trusted Provider based on SSO or LDAP.

         Trusted provider - Process.png

1. A user logs in to Product name - ev sas.png using the Product name - ev itsm.png login/password.

2. The user exists in Product name - ev itsm.png. His email address (which should be unique) will be searched for in Product name - ev sas.png for automatic synchronization.

  • (1) The email address is found in Product name - ev sas.png:
    • The association with teams is synchronized depending on the configuration of the Trusted Provider.
  • (2)  The email address is not found in Product name - ev sas.png:
    • The user is automatically created. By default, he has the simple user profile which may be changed by the administrator of the platform if necessary.
    • Depending on the configuration of the Trusted Provider, teams can be synchronized using specific key information such as the user's groups and/or profile and/or SQL query value.
    • The user will be associated with teams and can therefore access the corresponding apps based on the access rights defined for each of them.

3. The user doesn't exist in Product name - ev itsm.png. He is redirected to the Product name - ev sas.png login page. Its login(email)/password will be searched for in Product name - ev sas.png:

  • (1) The user exist: He will be able to access Product name - ev sas.png and all apps to which his teams have access rights.
  • (2) The user do not exist: Access to Product name - ev sas.png will be denied.

Example

Product name - ev itsm.png manages 300 groups and 50 profiles. In addition, 10 functions are managed using available fields in the User form.

  • Synchronization using groups ==> up to 300 teams can be created
  • Synchronization using profiles ==> up to 50 teams can be created

To restrict the number of teams, you can use an SQL query.

     1. Create teams based on an available field of the employees table:

SELECT available_field_1
FROM   am_employee
WHERE  employee_id = @@ID@@  

     2. Create teams based on the user's connection language:

SELECT l.language_system_alias_en
FROM   am_language l
      INNER JOIN am_employee e
              ON l.language_id = e.language_id
WHERE  e.employee_id = @@ID@@  

Notes

  • The link between Product name - ev itsm.png and Product name - ev sas.png is based on the user's email address which must be unique.
  • User creation and synchronization operations are run transparently at each connection to Product name - ev sas.png.
  • Team synchronization:
    • It is performed only for teams initially created via synchronization.
    • Teams creaed manually are never synchronized.
  • Product name - ev itsm.png key information used for synchronization:
    • Groups:
      • One user can belong to several groups. 
      • Synchronization is performed using the English name of the group.
    • Profile:
      • There can only be one profile per user. 
      • Synchronization is performed using the GUID.
    • SQL query value:
      • Synchronization is performed using the value(s) returned by the SQL query.

        Example documentation icon EN.png 

        • Synchronization using the value of Available Field 1 in the User form: AM_EMPLOYEE.AVAILABLE_FIELD_1
        • Synchronization using the user's connection language: AM_LANGUAGE.LANGUAGE_SYSTEM_ALIAS_EN

Caution

  • If you are using the Product name - ev itsm.png On Premise version and the Product name - ev sas.png SaaS version, you should change yourself the parameter allowing the profiles synchronization.  Open url.png See the procedure.

Best Practice big icon.pngBest Practice

  • Avoid modifying synchronized teams because they are managed automatically each time users log in.
  • Use an SQL query when there are many groups and profiles. Use a search criterion to restrict the number of teams for each synchronization.
          Open url.png  See Example
  • If you modify Product name - ev itsm.png key information that is not synchronized using the GUID, this will create a new team instead of modifying an existing one. In this case, you must define access rights to apps for the new team.
  • To manage a public access right, you should use the Everyone team. It contains the implicit list of all users who may be allowed access to the platform.
  • To simplify access rights management in an app prior to publication, you should initialize all of the teams associated with the app using standard users with key information used for synchronization. This eliminates the need to wait for teams to be created via synchronization as and when users log in to Product name - ev sas.png.
          Open url.png  See the procedure.

Procedures

How to set up team synchronization using a Trusted Provider

1. During the installation of Product name - ev sas.png, define the Product name - ev itsm.png key information to be used for team synchronization with the help of the Logo - EasyVista.png Support team: groups, profiles, SQL query values.

2. In Product name - ev itsm.png, create users with the key information used for synchronization.

  • For synchronization using groups: Create one user only and associate all of the groups to be synchronized with a team.
  • For synchronization using profiles: Create as many users as there are profiles to be synchronized with a team and associate each user with one profile.
  • For synchronization using an SQL query value: Create as many users as there are values to be synchronized with a team and associate each user with one value.

    Example documentation icon EN.png 

    • User 1 form: Language = English
    • User 2 form: Language = French

3. Initialize teams in Product name - ev sas.png by logging in with the first user using the Product name - ev itsm.png user login/password. 

  • Log in Product name - ev sas.png with the login/password of the first user:
  • Automatically in Product name - ev sas.png:
    • The user is created.
    • One team is created for each key information:
      • For synchronization using groups: One team is created for each group.
      • For synchronization using profiles: One team is created for the profile.
      • For synchronization using an SQL query value: One team is created for the value returned by the SQL query.

4. For synchronization using profiles and/or SQL query values, you should initialize the other teams from the other users. For each user, you should:

  • Log out of Product name - ev sas.png.
  • Log in again using a new user. The team corresponding to the new key information will be created.

5. Define access rights to apps for each team. 

6. Check each new user who log in to Product name - ev sas.png will automatically be able to access the apps defined for their teams.

How to set up profiles synchronization with Product name - ev itsm - big.pngev|Service Manager On Premise version

1. Go to the /www/APPS_XXXX_X_X/Trusted Provider/trustedprovider.ini folder of your web server.

2. Open the trustedprovider.ini file.

3. Change the Profiles=0 line and replace the value by 1.

Profiles=1

4. Give profile access authorizations to the apps once the users have connected in.

Note: Product name - ev itsm.png profiles synchronization cannot be done immediately. They will be created in Product name - ev sas.png as a user with a XXX profile connects in.

Other examples

Configuration of the Trusted Provider: synchronization using both groups and profile

User Configuration in First connection à Next connection to
Product name - ev itsm.png Product name - ev sas.png Product name - ev sas.png Product name - ev sas.png
Z No access No access Product name - ev sas.png access denied
Y No access User associated with Hotliner team created via synchrozation
  • Product name - ev sas.png access authorized
  • Rights to Hotliner team apps
  • No access to Product name - ev itsm.png data
X

Profile: Hotliner

Groups: USA Support; EN Support

Hotliner team exists (created via synchronization)
  • Product name - ev sas.png access authorized
  • User created
  • Synchronization of profil/teams: Hotliner team already exists
  • Synchronization of groups/teams: USA Support and EN Support teams created
  • User associated with the 3 teams
  • Rights to Hotliner team apps added
  • Access to Product name - ev itsm.png data
X Profile changed: Hotliner to Support User associated with Hotliner, USA Support and EN Support teams (already done) Synchronization of profil/teams:
  • Support team created
  • User associated with Support team and removed from Hotliner team
  • Rights to Support team apps added
  • No more rights to Hotliner team apps
X Network Expert group added User associated with Support, USA Support and EN Support teams (already done)

Synchronization of profil/teams:

  • Support team already exists

Synchronization of groups/teams:

  • Network Expert team created
  • User associated with Network Expert team
X EN Support group deleted User associated with Support, USA Support, EN Support and Network Expert teams (already done)

Synchronization of profil/teams:

  • Support team already exists

Synchronization of groups/teams:

  • User removed from EN Support team
  • No more rights to EN Support team apps
X Group name changed from USA Support to US Support User associated with Support, USA Support and Network Expert teams (already done)

Synchronization of profil/teams:

  • Support team already exists

Synchronization groups/teams:

  • User removed from USA Support team
  • No more rights to USA Support team apps
  • US Support team created
  • User associated with US Support team
Tags:
Last modified by Unknown User on 2017/12/11 11:22
Created by Administrator XWiki on 2015/04/10 11:24

Shortcuts

Recent Updates

Haven't been here in a while? Here's what changed recently:

-   Product name - ev itsm.png
-   Product name - ev sas.png

Interesting Content

How to Automate Integration
Add a Shortcut to an App
History
Quick Dashboard
Full text search - Stop Words

Powered by XWiki ©, EasyVista 2018