Configure managed user realms

Use the Administration Console for Content Platform Engine to create an authentication realm for users that are managed by an OIDC/OAuth identity provider.

Before you begin

Before you can manage users or share content with them, you must set up the identity provider service that you want to use. For information about what identity providers are supported, see the Software Product Compatibility Report External link opens a new window or tab.

To manage user access and enable automatic registration of users for your environment, see topic OIDC and OAuth identity providers.

For container deployments, you perform additional tasks to configure authentication for the managed users. For details, see Configuring users with an Identity Provider.

For traditional on-premises deployments, you configure your Content Platform Engine and IBM® Content Navigator WebSphere Application Server to accommodate your Oauth/OIDC identity provider for external share users. For details, see Configuring dynamic user provisioning for a traditional WebSphere Application Server environment.

About this task

You enable managed users in the Administration Console for Content Platform Engine by creating a Managed Users directory provider realm. To learn more about Managed User realms, see OIDC and OAuth identity providers
Important: Creating a managed user directory means that you are managing users in the Global Configuration Database (GCD). It is recommended to adjust the backup schedule to include more frequent backups of the database to accommodate updates in the list of managed users.

Procedure

To create the managed user directory:

  1. In the Administration Console for Content Platform Engine, open the P8Domain.
  2. In the contents pane, click the Directory Configuration tab, and click New.
  3. In the Directory Service Provider wizard, click the drop-down choices for Type, and choose Managed.
  4. Enter a display name for the provider, and click Next.
  5. Provide values for the general properties of the provider.
    For the principal category, if you are configuring for External Share specify External to help distinguish external users from internal users. The principal category, can be left blank for configuration with internal managed realm.

    You can also specify an interval in days after which provisional users who do not log in to confirm their identity are deleted. If the provisional user deleted by this mechanism was the recipient of external shares, those shares are cleaned up by a sweep process that is configured as part of the external sharing feature.

  6. Click Next to confirm the values that you entered for the provider, then click Finish.
    When the creation of the provider completes, click Close.
  7. Add identity rules to the new directory service provider:
    1. Click the Identity Rules tab.
    2. Add an Email suffix, and choose an Identity rule from the drop down list.
    3. Save your changes.