Project

General

Profile

Actions

Task #2887

closed

Support for Guest user type

Added by Roman Kučera over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Roman Kučera
Target version:
Start date:
07/14/2021
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Creating guest access via invitation https://docs.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=java

support all CRUD operation. Only create shut be diffrent.
type of user is in attribute userType with values "Member" or "Guest"

Actions #1

Updated by Roman Kučera over 3 years ago

  • % Done changed from 0 to 10

I am able to create user.
Issue with search operation occurred. Guest account has UPN in format but if I use this value in graph api sdk the value is cropped and only the part before first # is used.
For search there is workaround to search via filter parameter at it works.
Other issue is with update operation a similar will occur with delete to.

Graph api SDK has UPN as method parameter but for some reason it cropping the value so again the update/delete will fail because it can't find the user.
One possible workaround is to make one extra call and get user UUID and use this instead.

Actions #2

Updated by Roman Kučera over 3 years ago

  • % Done changed from 10 to 20

Previous issue with guest UPN can be solved by encoding the UPN. In the end the sdk is building request URL. So if we encode the UPN then the encoded value will get to the request correctly and it works.
This solution is working for search operation so it should work for other as well.

Actions #3

Updated by Roman Kučera over 3 years ago

  • % Done changed from 20 to 80
Tested operations with guest:
  • Create
  • Create with licence (operation will fail, but user is created. User is not created in cloud immediately so assigning fail. retry provisioning is solving this)
  • Update
  • Assign licence later
  • Remove licence
  • Delete User
Some notes:
  • Identifier in IdM is UPN which need to be in format
  • Attribute mail must be send, because value from this attributes is used to sending the invite
  • Guest is created only with email and display name other attributes are not used. Can be updated later e.g firstname, lastname
Things to improve:
  • Creating invitation need to have filled URL to which user will be redirected after accepting - make it configurable in connector or in mapping?
  • Sending mail with invitation is always on. Make it configurable in connector?
Actions #5

Updated by Roman Kučera over 3 years ago

  • % Done changed from 80 to 90
Actions #6

Updated by Roman Kučera over 3 years ago

Connector will perform update right after create operation. The reason for it is that creating via invitation supports only displayName and email.
This way we are able to set additional attributes directly.
One limitation of this solution is. That in most cases it will probably fail.
But it will end in provisioning queue in IdM and when the operation is retried it will correctly perform update.

Other option would be to implement some queue or delay in connector, but I am not sure that, it would be better solution, because create operation would take more time.

Actions #7

Updated by Roman Kučera over 3 years ago

  • % Done changed from 90 to 100

feedba in #2888#note-1

Actions #8

Updated by Roman Kučera over 3 years ago

  • Status changed from In Progress to Closed

released

Actions

Also available in: Atom PDF