User Provider

User Provider Configurations

The user provider page allows to configure the authentication method for users.

None

Default value, in that mode, no users will be allowed to connect, this should not be set back after the original provisioning.

SAML 2

SAML 2 is a popular standard for exchanging authorization and authentication between cloud services. Most enterprise grade identity providers (eg. Microsoft Entara ID, Okta, …​) support that protocol.

OIDC

OpenID Connect (OIDC) is an interoperable authentication protocol based on the OAuth 2.0 specifications. Most enterprise grade identity providers (eg. Microsoft Entara ID, Okta, …​) support that protocol.

WS-Federation

Microsoft specific extensions to the SAML 2 flow. Microsoft has deprecated their support for it and this should not be used for new deployments. This is kept for historical reasons.

Windows Live

Use windows live accounts to access the Digital Enterprise Suite. This option is not recommended.

Trisotech Account

Use a trisotech.com free account to log in to the Digital Enterprise Suite. This option does not require integration from your IT organization but require that users create a Trisotech account and validate it.

Trisotech Account Offline

Same as a Trisotech Account but for deployments where the Digital Enterprise Suite server does not have access to the internet and can’t access the signature keys for trisotech.com. If you are using this option, you need to update every year your deployment to make sure that you get updated offline signature keys.

WS-Federation and Windows Live should be avoided and are considered deprecated by Trisotech.

Client Access Licenses

When the configured user provider accepts an unknown user (that does not already have a Client Access License), it is possible to automatically assign a CAL for that user.

When using the Trisotech Account provider, it is strongly recommended to also enter allowed domains (comma separated). This will prevent anyone from gaining access to your Digital Enterprise Suite.

By configuring the automatic provisioning of licenses, it does not require users to be configured manually or for them to request access.

Products

When a new CAL is created (automatically or from the admin interface), check the products that should by default be assigned to this client access license.

If no license is available for the requested product, it will not be assigned.

SCIM Integration

System for Cross-domain Identity Management (SCIM) integration with the Digital Enterprise Suite allows automatic provisioning of users and groups information from external repository. Integration is based on SCIM protocol that is exposed as set of ReST endpoints. The endpoint allows to read and write user and group information so that the DES can be completely up to date with users and groups within the organization.

In addition to automatic provisioning, SCIM comes with organizational information about users, this includes:

  • Employee number

  • Department

  • Division

  • Organization

  • Cost center

  • Manager

The FEEL library for automation allows to access this information in the current user() function.

SCIM integration needs to be enabled using the *Enable SCIM integration * checkbox.

Once activated, a Bearer token is displayed to be used in your SCIM system to authorize requests to the Trisotech Digital Enterprise Suite.

The authorization token can be used with HTTP Basic Authorization (username: bearer, password: [Authorization token]) or in an Authorization header (Authorization: Bearer [Authorization token])

We provide a detailed guide for activating SCMI with Azure Active Directory that can be easily adapted to other providers.

Unchecking the Enable SCIM integration checkbox disables the provisioning from SCIM (e.g., Azure Active Directory (now Microsoft Entara ID)) and the endpoint starts returning 501 (not implemented) HTTP response codes. Users and groups that were provisioned are not deleted and will be considered as active users meaning they will be able to use DES without any issues. Imported users will have a small lock next to the username that indicates the user is managed externally.