Is there a way to create an external user account under an enterprise account silently, where there is no accept/email invite needed?
Use Case:
User becomes a member of our web site, we call API and provision grant them silently which creates an external user under our enterprise account.
Any code axample? Silently and without invite is the key thing here. Thanks!
There isn't a way to do this. The user doesn't have a password at creation time and needs to set one by going to the website via the email confirmation link.
Could you perhaps explain why you don't want the email to be sent, and what your user workflow looks like?
Related
I have a working implementation of SAML (OneLogin) within an enterprise architecture.
When a guest user arrives at my application they are redirected to the company login where they enter their username / password. After that the user identity is passed back to my application and we log them in.
However, I notice that in other applications within the company I do not have to login at all. Somehow the website "knows who I am" and seems to authenticate me automatically. I presume there is some form of certificate on my pc / browser which the other applications are passing to the SAML??
Can somebody tell me the technical term or process? Is there a process whereby I simply pull the certificate from the browser or PC and pass it to the SAML? I would like my users to be able to auto-login without entering their credentials.
Thanks
There's a number of mechanisms that support an "automatic" authentication like what you describe. In the Identity and Access Management (IAM) realm, we have all sorts of names for it, but many of us call that "seamless single sign-on (SSO)".
Within a corporate environment, I would suspect that you are dealing with a one of two mechanisms: Kerberos authentication (especially if you're a Microsoft shop and log in to a domain-joined machine on a daily basis), or your machine is in an MDM-type of system, which uses a machine- and/or user-based certificate (aka PKI) to authenticate the user or user/machine combination.
Within your enterprise, if there are other applications whose users are immediately authenticated to the application without entering their username and password, then you should talk to your IAM team or your Single Sign On (SSO) administrators to understand why that doesn't work for yours.
I will also say that it's possible that your security team evaluated what information your application offers (insider financials? source code? your secret recipe? credit card data?) and decided that they would still require the user enter their username and password to get access to the data. So when you go to your SSO admins to ask, if they say that it's intentional, you should feel free to ask why and who you should talk to about it.
After a LOT of research and testing I finally have the answer to this question, and it is incredibly simple!
In summary:
I have a working solution with OneLogin that sends me to a page like this:
https://sts.companyname.com/adfs/ls
The url is specified in the config: saml->config->idp->singleSignOnService->url
However, this page requires the user to enter their username and password and, instead, I would like the system to be fully seamless.
The solution, it turns out, is simply to hyperlink to the following url:
https://sts.companyname.com/adfs/ls/IdpInitiatedSignon.aspx?LoginToRp=https://mypage.com/saml/metadata
where "loginToRp" url is the url provided in saml->config->sp->entityID
The ADFS IDP Initiated Signon will connect to your metadata schema and automatically log the user in (without the user needing to provide any credentials)
NOTE: this only applies to intranet sites in a corporate environment
I'm currently writing an auditing script that is focusing on users' gmails and need access to their message lists. I have admin access and scopes for the AdminSDK, the script will be executed by the admin.
I'm wondering how exactly to do this? I have my domain's userlist via Directory, but I can't use GmailApp with a specific user, only the current user(admin). I was also thinking about assigning a timed Trigger to each of the users and using GmailApp locally, but I can't figure out how to do that either(I don't think this is possible).
One idea that I'm working on is pinging the Gmail API using the admin's credentials via URLFetchApp, but can I get my domain's users information with this method?
What are your thoughts? Any guidance will be appreciated.
I'm currently using GAS on a service account.
While using service account, you can impersonate users in your domain and perform actions on their behalf. For this you will need to perform domain wide delegation of authority in your domain.
Here you can find documentation about domain wide delegation.
Here you can see an example, I know is on Drive but the principle is the same.
Hope this helps.
I'm using Azure API Management and I have a user who tried to sign up but never got the "validation" email. Let's just assume the email is not recoverable. Unfortunately, I have no way to reset that user's email address. The API Management framework knows that the email already exists but I have no visibility to that user's profile until they validate the account. At that point I can manage their account but, until then, they are in-limbo.
If the user tries to re-sign up or even if I send an invite, we get an error that says. "Email already exist"
Any pointers?
The confirmation request will expire in 2 days, so if the user tries again after 2 days, the "email already exist" error should go away.
Meanwhile, we are currently working on a feature to allow Admins to delete unconfirmed users from the Management Console.
In addition to allowing admins to remove unconfirmed users we added the ability for users to re-send confirmation email.
I am creating an iOS App which the user will be able to login to via his account with our website (internal), or via Facebook or Twitter.
What I would like to know is how should I manage the database in order to verify his Facebook / Twitter account with his internal account on my website?
I.e When the user logs in via his internal account, I just run a simple authentication check to see if his username and password are valid. However with Facebook and Twitter, I obviously can't do this as I don't have access to the user's password.
Thanks in advanced.
my suggestion is that you would create a new table for each of the login types and connect it to your users/members table.
for example - for facebook login you would have a facebook_users table to hold the user's data (such as name, pic and most important - fbid)
than add a column named facebook_user_id to your existing members table.
in order to get the logged user from facebook you don't need to access his password... you should use the Facebook JS SDK and specifically the FB.getLoginStatus and FB.login function...
offcourse my suggestion is only one of many applicable ways to accomplish the task
Save fbid instead of fb-login user_name (you can keep both) of the user in your internal login table - A unique mapping exists (I'm sure something similar exists for twitter as well). Why do you need fb password for it?
Moreover, you run the check on internal table to authenticate user account, but when using login from fb or twitter, isn't the user already authenticated?
I'm busy to enable login stuff via facebook oauth on my website, but the only thing I want to get is the email of the user.
I saw in dev docs the 'scope=email' but, it seem's mandatory for the user to allow access to anything about him.
is there's a way to ask him to grant access only on his email ?
No. The bare minimum that your app will request from the user is his Basic Information, followed by your extended permissions (in your case, his email address).
nope. email is a so called extended permission. so you have to get the basic set of data of the user. (like: name, fbid, gender, locale).