Please enable JavaScript.
Coggle requires JavaScript to display documents.
Assign IdP user to a device (Storing (User and Groups (Need three new…
Assign IdP user to a device
Storing
How to store a user in DevUser table
New column
IdpUserId
User UID is stored as UserName and Email
Update DevInfo
Data/Provider Layers
User and Groups
New
Providers, DataProviders
etc
Need three new tables
IdpUser (UID)
IdPGroup (UID)
IdpUserGroup(UserId, GroupId)
INFO:
LdapGroup
table is populated also when we
Create a rule
Create a security principal
Assign a profile
When we create filter for Virtual Group with existing LDAP group name
:question: User/Group uniqueness scope -> EntityId, SsoEntityId or Nothing
DB Task
:question: should we try to extract more info from Idp response
:!: We currently store
SsoEntityId
in DevUser table
It is used currently for LDAP users authenticated through SSO, thus won't be probably used for IdP users
When we start saving Idp users in new tables with SsoConnectionId association, Sso Connections might stuck in the system forever like it happens to Ldap now, unless we come up with some kind of clean-up logic :!:
GDPR
NGUI
Show user info on Device Dialog
User cannot be assigned manually :
:question: Warning that changing IdP user is irreversible
API
:question: Any changes required?
Assign Single User/ From CSV
Update groups on every login
:question:
Any login matters (SSP, WC, Enrollment, iOS Profile Catalog etc)
:!: For an ldap user we don't create a record in LdapUser tbl when the user log-in to WebConsole, so we are going to update membership during WC login only if the user has enrolled a device by that time
SSP
Backend
Currently
, starting point for fetching user's devices is
DeviceInformationManagementEngine.GetDeviceListByUserId()
wich finaly down the road calls
Device_GetDeviceSortedList
store procedure with current user's
SecurityPrincipalId
as an input parameter
DB
Currently
, on DB side, user's devices returned by
Device_GetDeviceSortedList
SP the following way:
If SecurityPrincipal has SID then DevUser records with DevUser.Identifier == SecurityPrincipal.SID returned.
If SecurityPrinciap.SID == null then DevUser records with DevUser.EMail == SecurityPrinciapl.Email returned.
iOS profile catalog access
Ability to (un)assign user for multi user sign-in/out
Make macros work for IdP users
iOS
Code
:
Called from
DeviceInformationHandler->GetDeviceName()
:
DeviceReferenceResolver->ResolveReference()
Device parameters are resolved in
GetDeviceParameters
of the same class.
If we populate DevUser table with user name and email , those macros
should work without any changes
.
:check:
Android
Seems to be resolved in
AgentEnrollment.cpp->InitDeviceName()
Should work for IdP user out of the box
:check:
MacroResolver.cpp in MobiControl/Common
Profile Assignment
UI
Ldap Targets should be renamed
List of connection should include IdP w/o LDAP
Since Idp user can't be assigned manually, the change should not affect platforms that dont support SSO Enrollment ( WinCE etc)
Backend
Currently
, profile targets get processed in
ProfileDeviceTargetsProcessor.ProcessDeviceTargets()
and particulary matching logic is in
TargetExtensions.LdapCriteriaSatisfiedBy()
method
DB
Currently profile assignment targets are stored in LdapTarget, LdapTargetItem tables which in turn references LdapGroup.
Reference to LdapTarget stored in ProfileAssignment->TargetId field
:question: Store ldap/idp targets filter as as string in ProfileAssignments table
#
Virtual Group Filter
DB
Filter is stored as string in
DeviceGroupVirtual
table in
FilterExpression
column.
Ex. 'HAS UserGroup WITH (Name = 'Domain Users')'
Assigning a user during Enrollment
iOS
In
IdentityProviderGroupsAuthorizationActivity->Authorize()
create a
DevUser
and set it using
EnrollmentSessionState->AssociateWithDeviceUser()
Android
DS methods that has to be reviewed:
CSOTIDatabase::SaveDevUser
Usage: AgentEnrollment->CheckAuthentication, CommDeploymentSrvWorker->OnDirectoryRequestMsg
CSOTIDatabase::DeleteDevUser
Usage: AgentEnrollment->CheckAuthentication,
CSOTIDatabase::GetDeviceInfo
Usage: AgentEnrollment->CheckAuthentication, CommDeploymentSrvWorker->OnDirectoryRequestMsg
CSOTIDatabase::IsDevUserNeedManualFix
Usage: MC Installer Info: Needs manual fix if Indetifier is not null or empty but LdapConnectionId is
CSOTIDatabase::GetDeviceInfo
:question: Do we still need the warning message in Add Device Rule ?
Elastic Search - Search devices by idp group
Code
DeviceSearchInfoManager->GetDeviceGroups()
Seems to be stored in ES storage when sync or new device added. Stored as a list of {SID, GroupName, ConnectionName} objects.
Person Approach
If we have a single person with and ldap/idp entries per each connection, we need to change DeviceUser representation in Device entity that stored in Elastic Search.
Backend
Upgrade
If we go for
Person
new structure approach, it will require data migration during upgrade