user-manager.yaml

The User Manager Java application itself is configured with /etc/escenic/user-manager/user-manager.yaml. This section will describe the most important settings, for a full list of available options, you can read the file and the comments therein.

Configuration items under the provider YAML block:

oidcEndpoint

The OIDC discovery endpoint of your IAM, e.g.: https://iam.mycompany.com/.well-known/openid-configuration

clientId

The id of the OIDC client you've created in the IAM system. CUE User Manager uses this when authenticating with the IAM system.

clientSecret

The secret of the OIDC client you've created in the IAM system.

redirectURI

Redirection URL after login through OIDC. This needs to be same as you configured in the IAM system when creating the OIDC client.

Example: https://iam.mycompany.com/successful-login

scimEndpoint

The SCIM2 endpoint of your IAM, e.g.: https://iam.mycompany.com/scim/v2/

groupSync

If you've set up your IAM system to sync from AD and it doesn't sync groups too, you can set this to true to have CUE User Manager create these users in the IAM system for you. The pre-requisite for this to work is that the groups are present in a string field called userGroups on the SCIM user object.

Newsroom publication mapping

CUE User Manager uses pattern matching to find the name of the newsroom and then utilizes predefined mappings between newsroom and publication to find out which roles to assign to the user in what publication.

Valid identifiers for groups are ${publication}, ${newsroom}, ${name} and ${ignore}. If the group identifier is ${ignore}, the SCIM user objects must have the field homePublication set.

If the AD group name is newroomx_journalist where the name of the newsroom is newsroomx and the role the user should have in this newsroom is journalist, then the template should be ${newsroom}_${name}. 

  newsroom:
    # publicationMapping:
      # sportsdesk:
          # Corresponding publication names
          # - football.com
          # - cricket.com
          # - golf.com
      # tabloid:
          # - beats.com

If using publicationMapping, set the template to: 

${newsroom}_${name}

Default template is: 

${ignore}_${name}

The mapping between the name fragment of the group and the roles this group should get in CUE Content Store is defined in the roleMapping block: 

roleMapping:
  reader:
    - reader
    - articleWithContentTypeReader
  journalist:
    - journalist
    - reader
    - articleWithContentTypeWriter
    - articleWithContentTypeReader
  editor:
    - editor
    - journalist
    - reader
    - articleWithContentTypeWriter
    - articleWithContentTypeReader
  admin:
    - publicationadmin
    - useradmin
    - administrator
    - editor
    - journalist
    - reader
    - articleWithContentTypeWriter
    - articleWithContentTypeReader

When AD user group naming is consistent and corresponding CUE User Manager mapping is correct, users will get correct permissions in CUE Content Store automatically, making AD not only the master source of users but also of authorization/access control to the different publications inside CUE Content Store.

Copyright © 2019 CCI Europe AS