user-manager.yaml
The User Manager Java application itself is configured with
/etc/escenic/user-manager/user-manager.yaml
. This
section will describe the most important settings, for a full list of
available options, you can read the file and the comments therein.
Configuration items under the provider
YAML block:
oidcEndpoint
-
The OIDC discovery endpoint of your IAM, e.g.:
https://iam.mycompany.com/.well-known/openid-configuration
clientId
-
The id of the OIDC client you've created in the IAM system. CUE User Manager uses this when authenticating with the IAM system.
clientSecret
-
The secret of the OIDC client you've created in the IAM system.
redirectURI
-
Redirection URL after login through OIDC. This needs to be same as you configured in the IAM system when creating the OIDC client.
Example:
https://iam.mycompany.com/successful-login
scimEndpoint
-
The SCIM2 endpoint of your IAM, e.g.:
https://iam.mycompany.com/scim/v2/
groupSync
-
If you've set up your IAM system to sync from AD and it doesn't sync groups too, you can set this to
true
to have CUE User Manager create these users in the IAM system for you. The pre-requisite for this to work is that the groups are present in a string field calleduserGroups
on the SCIM user object.
Newsroom publication mapping
CUE User Manager uses pattern matching to find the name of the newsroom and then utilizes predefined mappings between newsroom and publication to find out which roles to assign to the user in what publication.
Valid identifiers for groups are ${publication}
,
${newsroom}
, ${name}
and
${ignore}
. If the group identifier is
${ignore}
, the SCIM user objects must have the field
homePublication
set.
If the AD group name is newroomx_journalist
where the
name of the newsroom is newsroomx
and the role the
user should have in this newsroom is journalist, then the template
should be ${newsroom}_${name}
.
newsroom: # publicationMapping: # sportsdesk: # Corresponding publication names # - football.com # - cricket.com # - golf.com # tabloid: # - beats.com
If using publicationMapping
, set the template to:
${newsroom}_${name}
Default template is:
${ignore}_${name}
The mapping between the name
fragment of the group
and the roles this group should get in
CUE Content Store
is defined in the roleMapping
block:
roleMapping: reader: - reader - articleWithContentTypeReader journalist: - journalist - reader - articleWithContentTypeWriter - articleWithContentTypeReader editor: - editor - journalist - reader - articleWithContentTypeWriter - articleWithContentTypeReader admin: - publicationadmin - useradmin - administrator - editor - journalist - reader - articleWithContentTypeWriter - articleWithContentTypeReader
When AD user group naming is consistent and corresponding CUE User Manager mapping is correct, users will get correct permissions in CUE Content Store automatically, making AD not only the master source of users but also of authorization/access control to the different publications inside CUE Content Store.