Fork me on GitHub

External Authentication : FAQ


Question Answer References
Why am I no longer able to change the rep:externalId? Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property rep:externalId which is used to link a given synced user/group account to the corresponding entry on the external IDP. See documentation and OAK-4301
Why does a user or group created with a content package not get synced with the IDP? Only users/groups with a rep:externalId linking them to the external IDP will be respected during the default sync mechanism. See also OAK-4397 and OAK-5304
Synchronized user/group is not updated The default sync configuration defines an expiration time before identities get re-synced See section Configuration
Membership information is not store The default sync configuration needs to define a user.membershipNestingDepth > 0 in order to have external membership information synchronized See section Configuration
Membership information is not updated The default sync configuration defines user.membershipExpTime before membership get re-synced See section Configuration
Can I synchronize identities outside of the repository login? Yes, there is a SynchronizationMBean in the JMX console with additional synchronization options

Dynamic Sync

See User and Group Synchronization : Dynamic Membership and Dynamic Groups for further details.

Question Answer References
The external group doesn't get created The dynamic membership option will only synchronize the membership information but not the group accounts. Additionally enabling ‘Dynamic Groups’ option will make sure groups are synchronized while keeping the dynamic nature of the membership information. See section Dynamic Groups
I cannot add members to a synchronized group The dynamic groups option comes with a dedicated validator that makes external groups read-only See section Enforcing dynamic groups
Auto-membership cannot be altered through user management API The configured auto-membership with local groups is calculated dynamically from the configuration and cannot be changed through user management API See section Automatic Membership
External groups have no rep:members property The membership information is computed using an implementation of DynamicMembershipProvider computed dynamically from the rep:externalPrincipalNames properties stored with external users See OAK-9803
Group nesting is not reflected in the repository The dynamic sync flattens the nested membership and the DynamicMembershipProvider will mark members and membership as declared See description of DynamicSyncContext