When a user logs into the Firmstep platform via a FAM or Azure, all the necessary details are passed across to ensure the account is correctly configured eg. - the user's email address, name, and also the names of the AD groups that they are a member of [see footnote].
The platform will then create a new user account if one does not already exist. It can automatically set the user's permissions group memberships too, when a group on the platform is setup to correspond to an existing AD group.
As not every platform group will have its membership managed in this way, we use a naming convention to mark groups that are intended to be AD-integrated.
eg. If you have a local AD group called 'CSA', then if you create a platform permissions group called '[FAM-GROUP] CSA' the membership will be synchronised for all users who authenticate via the FAM or Azure. There are three important things to note:
- The membership of permission groups that do not use this prefix are unaffected by a FAM/Azure login - continue to manage their membership with the Firmstep platform permissions manager.
- Users who do not authenticate via the FAM/Azure can also be placed in prefixed groups manually using the platform permissions manager.
- It is futile to use the Firmstep platform permissions manager to set the memberships of prefixed group for a FAM/Azure-authenticated user, as their memberships will be reset at each login - As well as being made members of all groups that match the membership details from the FAM/Azure, they will be removed from any prefixed groups that are not also listed in their FAM/Azure data. This behaviour will ensure that if an AD user's membership of an AD group is removed in Active Directory, the next time they log into the platform their corresponding platform membership is also removed.
When logged in via the FAM/Azure you can use https://add_your_url_here/authapi/isauthenticated - to identify your own permission groups.
Note: The FAM can be configured to only share membership information with the platform for specific AD groups, or none at all - although the most common configuration is to share all memberships.
Nested groups will not show in the Permission groups as the FAM does not perform recursive queries, it simply uses the results of the LDAP query to ActiveDirectory
- Create unique email address for FAM users with no email
- When logging into the platform with no email address, the FAM would previously return empty string in place of the email. This would have various implications affecting the permissions of the user. This release item assigns a unique email address ‘noemail-randomstring@example.com’ to FAM users with no email, where the random string is determined by the Active Directory. These email addresses are hashed so they are not exposed.
