Configuring Managed Users

You can set up managed users by configuring an identity provider (IDP). You also create a corresponding directory service provider to manage the users in the Administration Console for Content Platform Engine.

Before you begin

Before you configure managed users or share content with them, you must set up the identity provider service that you want to use. For information about what identity providers are supported, see the Software Product Compatibility Report.

For deployments that use WebSphere Liberty Application Server, you perform additional tasks to configure authentication for the managed users. For more information, see Configuring Identity Provider for a WebSphere Liberty Application Server Environment.

For traditional WebSphere® Application Server deployments, you configure your Content Platform Engine and IBM Content Navigator application server to accommodate your OAuth/OIDC identity provider. For more information, see Configuring Identity Provider for a WebSphere Application Server Environment.

About this task

You manage IDP users in the Administration Console for Content Platform Engine by creating a Managed Users directory provider. You need to create only one Managed Users directory provider with identity rules to specify your particular managed realm, even if you use multiple external identity providers.
Important: For external share users, only one Managed User directory provider can be configured for External Share use. This managed realm needs to be distinct from any internal user managed realm. See Catchall realm section in topic Identity rules for managed users and refer to topic Managed realm and identity rule scenarios for more information.

Procedure

To create the managed user directory:

  1. In the Administration Console for Content Platform Engine, open the P8Domain.
  2. In the contents pane, click the Directory Configuration tab, and click New.
  3. In the Directory Service Provider wizard, click the drop-down choices for Type, and choose Managed.
  4. Enter a display name for the provider, and click Next.
  5. Provide values for the general properties of the provider.
    For the principal category, if you are configuring for External Share specify External to help distinguish external users from internal users. The principal category, can be left blank for configuration with internal managed realm.

    You can also specify an interval in days after which unconfirmed users are deleted. These users are invited to share content, but do not log in to confirm their identity and access the content. After the unconfirmed user is deleted, the associated sweep also cleans up any share permissions that were granted to that user.

  6. Click Next to confirm the values that you entered for the provider, then click Finish.
    When the creation of the provider completes, click Close.
  7. Add identity rules to the new directory service provider:
    For more information, see Identity rules for Managed Users to configure identity rules.
    1. Click the Identity Rules tab.
    2. Add an Email suffix, and choose an Identity rule from the drop down list.
    3. Save your changes.
  8. Optional: Add users to the new directory service provider:
    Note: For External Share, the users are automatically added when an existing user shares content with an external user. For internal users, in a realm which is configured for self registration, the user is automatically added when logging in with IBM® Content Navigator for the first time.
    1. In the navigation pane, expand Global Configuration > Administration > Managed User Realms, and click the provider that you created.
    2. In the content pane, click Add User.
    3. In the New Managed User dialog, enter the email address and specify a display name for the new user.
    Note: A user created by another internal user is a provisional user. The provisional user needs to log in through IBM Content Navigator the first time to confirm the user identity.