User Management
Introduction
mIDentiy One platform is integrated directly into mID Server(SSMS). This means each user action will be reflected automatically under mID Server(SSMS).
Local User Management
Users are permanently stored in mID Provider(IAM) platform and mID Server(SSMS) Databases.
Admin Dashboard
Admin Dashboard is a GUI interface.
Note: Creating username via Admin Dashboard has limited functionalities (e.g., Activation Code will always be created, cannot be defined, you do not receive its value.) Such functionalities have to be used only for testing purposes.)
Add User
- Navigate to Users -> Press button "Add User" -> Add user dialog will appear
- Enter unique username
- Press "Save" Button
- User will be added to the local mID Provider(IAM) platform database and mID Server(SSMS) database. One Activation code will be generated.
Note: If username already exists on mID Server(SSMS), then the user will be added only on mID Provider(IAM) platform and mapped with the existing user on mID Server(SSMS). Overwriting options is available only via Admin REST API.
Update User
- Navigate to Users -> Select user and click on username -> user dialog will appear
- Modify account data
- Press "Save" Button
Enable/Disable User
User can be enabled or disabled by turning enable switch on or off. When user has active 2FA devices those devices will be deactivated.
Remove User
User can be deleted by pressing delete button. When user has active 2FA devices those devices will be permanently removed.
Impersonation
Most of the times it is useful for an admin to impersonate as a user. For example, when a user experiences bugs in one of the applications, then an admin could impersonate as a user to check if he can replicate the bugs. Admins with appropriate permissions can impersonate a user. There are two places where an admin can initiate user impersonation. The first option is on the "Users List" tab.
As shown in the picture, an admin can search for the user and click on the button "impersonate".
Second option to impersonate the user is from the "User Details" tab.
At the bottom of the page admin can click on the "Impersonate" button.
During impersonation, if the admin and user are on the same realm, then the admin will be logged out and automatically logged in as user being impersonated. If the admin and user are not on the same realm, then the admin will remain logged in, but additionally be logged in as user in the user’s realm. In both the cases, browser will be automatically redirected to the "User Account Management" page of the user who is impersonated. Pay attention to some browsers because popups are blocked by default.
Any user having realm’s impersonation role can impersonate another user. In case impersonation is not required for a given user role category remove this permission from the role.
Admin REST API
Create User
POST /{realm}/users
{
"attributes": {
"digitaniumUserIdDelete": true,
"digitaniumUserId": "doc_user",
"digitaniumUserIdOnboardingType": "letter",
"digitaniumActivationCode": "12345678",
"digitaniumActivationValidity": "1548253094271",
"digitaniumClearActivation": true,
"digitaniumActivationSecret": true
},
"requiredActions": [
"kobil-2fa-required-action"
],
"enabled": true,
"username": "doc_user"
}
| Type | Name | Schema | Descriptions |
|---|---|---|---|
| Attribute | digitaniumUserIdDelete (required) | boolean | true - delete digitanium user including all active devices when exists, false - skip deleting digitanium user including all active devices when exists, do not stop create user process |
| Attribute | digitaniumUserId (optional) | string | when Digitanium user should be different. Otherwise username value will be taken as digitaniumUserId. |
| Attribute | digitaniumUserIdOnboardingType (required) | letter or onscreen : letter - when user is not activated, does not have any active 2FA devices, login webpage shows instructions how to activate user. onscreen - when user is not activated, does not have any active 2FA devices, login webpage shows instructions and directly activation code. This method should only be combined with username password authentication. | |
| Attribute | digitaniumActivationCode (optional) | string | activation code value, when empty activation code will be generated and send in response. |
| Attribute | digitaniumActivationValidity (optional) | epoch time | activation code is valid until epoch date specified. Activation code is valid for one time usage. After usage activation code will be removed. |
| Attribute | digitaniumClearActivation (required) | boolean | true - clear all existing activation codes false - do not delete existing activation codes. |
| Attribute | digitaniumActivationSecret (required) | boolean | true - save activation code invisible in Admin Dashboard. false - save activation code in clear text in Admin Dashboard. |
| Attribute | phone (optional) | Integer | A custom attribute to add the user's mobile number. |
| Required Actions | kobil-2fa-required-action | string | internal action |
| User Representation | enabled | boolean | true - enable user false - disable user |
| User Representation | username | string | unique username |
Note : The following attribute digitanium attributes, digitaniumUserIdDelete, digitaniumActivationCode, digitaniumClearActivation, digitaniumActivationValidity, digitaniumActivationSecret, digitaniumCallbackUrl and digitaniumRequiredAction will not be displayed in user attributes, and Temporary attribute digitaniumActivationCode will be deleted from keycloak once added to SSMS.
Prerequisites to all functions below
In order to get User id following function needs to be executed.
GET /{realm}/users?username={"username1": "username2"}
Update User
Update user can be useful to following use case. User was create, but was disabled per default. Now user will be enabled and activation code will be distributed to the user. Application could do following steps.
Set activate code and enable user
PUT /{realm}/users/{id}
{
"attributes": {
"digitaniumClearActivation": true,
"digitaniumActivationSecret": true,
"digitaniumActivationCode": "12345678",
"digitaniumActivationValidity": "1548253094271",
},
"enabled": true,
}
Enable/Disable User
PUT /{realm}/users/{id}
Enable User
{
"enabled": true,
}
Disable User
{
"enabled": false,
}
Remove User
DELETE /{realm}/users/{id}