Managing external users
This page provides information on how externally authenticated users are managed by the Intelligence Center, and certain issues that administrators should be aware of when managing externally authenticated users.
Information here can be applied to all external authentication systems supported by the Intelligence Center, unless otherwise specified here.
Contents
“Local” and “external” user accounts
Local user accounts are accounts that are created and managed on the Intelligence Center.
External user accounts are accounts on the Intelligence Center that:
Are automatically created when a user signs in to the Intelligence Center using an external authentication system.
Exist on the Intelligence Center, but are marked as ‘external’.
Should not be managed on the Intelligence Center. the Intelligence Center maintains a one-way sync between the user account on the external authentication system and the external user account on the Intelligence Center.
the Intelligence Center does not store the password hashes for external user accounts.
External user accounts have values set for their external_auth_system and external_auth_id fields.
Local user accounts take precedence over external user accounts
When a user signs in on the Intelligence Center, the Intelligence Center always checks if a local user account exists.
the Intelligence Center does not attempt to authenticate a user using an external authentication system if they have an existing account on the Intelligence Center.
A user is only authenticated using an external authentication system when:
the Intelligence Center is configured to use an external authentication system, and
the Intelligence Center cannot find a Intelligence Center user account with that username.
OR the user has an external user account stored on the Intelligence Center.
However, it is still possible for external user accounts to override local user accounts.
External user accounts can override local user accounts
It is possible for a user to sign in using an external user account even if a local user account exists. This can happen when the user bypasses the usual Intelligence Center authentication flow, for example by signing in on the Intelligence Center using the “Sign in with SAML” button.
When this happens, the local user account is then marked as an external user account, and will subsequently authenticate with their external authentication system. The local user account’s password will no longer be valid.
To avoid issues around this, make it clear to users where they should be managing their user accounts: on the Intelligence Center, or on a specific external authentication system.
Keep external and local users separate
the Intelligence Center maintains a one-way sync between user accounts and the external authentication systems they are bound to.
This means that certain changes such as group and role assignments made to external users on the Intelligence Center may not persist. These changes can be overridden the next time that user signs in using the external authentication system. Having Intelligence Center and external users coexist in the same groups and roles makes it difficult to identify issues with user permissions.
Instead, set up dedicated groups and roles on the Intelligence Center for externally managed user accounts to manage their assigned permissions with. How this is done is specific to your external authentication system.