Managing external users#
This page provides information on how externally authenticated users are managed by EclecticIQ Intelligence Center, and certain issues that administrators should be aware of when managing externally authenticated users.
Information here can be applied to all external authentication systems supported by EclecticIQ Intelligence Center, unless otherwise specified here.
“Local” and “external” user accounts#
Local user accounts are accounts that are created and managed on EclecticIQ Intelligence Center.
External user accounts are accounts on EclecticIQ Intelligence Center that:
Are automatically created when a user signs in to the Intelligence Center using an external authentication system.
Exist on EclecticIQ Intelligence Center, but are marked as ‘external’.
Should not be managed on EclecticIQ Intelligence Center. EclecticIQ Intelligence Center maintains a one-way sync between the user account on the external authentication system and the external user account on EclecticIQ Intelligence Center.
EclecticIQ Intelligence Center does not store the password hashes for external user accounts.
Tip
External user accounts have values set for their
external_auth_system
and external_auth_id
fields.
Local user accounts take precedence over external user accounts#
When a user signs in on EclecticIQ Intelligence Center, EclecticIQ Intelligence Center always checks if a local user account exists.
EclecticIQ Intelligence Center does not attempt to authenticate a user using an external authentication system if they have an existing account on EclecticIQ Intelligence Center.
A user is only authenticated using an external authentication system when:
EclecticIQ Intelligence Center is configured to use an external authentication system, and
EclecticIQ Intelligence Center cannot find a Intelligence Center user account with that username.
OR the user has an external user account stored on the Intelligence Center.
However, it is still possible for external user accounts to override local user accounts.
External user accounts can override local user accounts#
It is possible for a user to sign in using an external user account even if a local user account exists. This can happen when the user bypasses the usual Intelligence Center authentication flow, for example by signing in on EclecticIQ Intelligence Center using the “Sign in with SAML” button.
When this happens, the local user account is then marked as an external user account, and will subsequently authenticate with their external authentication system. The local user account’s password will no longer be valid.
To avoid issues around this, make it clear to users where they should be managing their user accounts: on the Intelligence Center, or on a specific external authentication system.
Keep external and local users separate#
EclecticIQ Intelligence Center maintains a one-way sync between user accounts and the external authentication systems they are bound to.
This means that certain changes such as group and role assignments made to external users on EclecticIQ Intelligence Center may not persist. These changes can be overridden the next time that user signs in using the external authentication system. Having Intelligence Center and external users coexist in the same groups and roles makes it difficult to identify issues with user permissions.
Instead, set up dedicated groups and roles on EclecticIQ Intelligence Center for externally managed user accounts to manage their assigned permissions with. How this is done is specific to your external authentication system.