Task #2887
closed
- % Done changed from 0 to 10
I am able to create user.
Issue with search operation occurred. Guest account has UPN in format somemeail_domain.com#EXT#@bcvcz.onmicrosoft.com but if I use this value in graph api sdk the value is cropped and only the part before first # is used.
For search there is workaround to search via filter parameter at it works.
Other issue is with update operation a similar will occur with delete to.
Graph api SDK has UPN as method parameter but for some reason it cropping the value so again the update/delete will fail because it can't find the user.
One possible workaround is to make one extra call and get user UUID and use this instead.
- % Done changed from 10 to 20
Previous issue with guest UPN can be solved by encoding the UPN. In the end the sdk is building request URL. So if we encode the UPN then the encoded value will get to the request correctly and it works.
This solution is working for search operation so it should work for other as well.
- % Done changed from 20 to 80
Tested operations with guest:
- Create
- Create with licence (operation will fail, but user is created. User is not created in cloud immediately so assigning fail. retry provisioning is solving this)
- Update
- Assign licence later
- Remove licence
- Delete User
Some notes:
- Identifier in IdM is UPN which need to be in format somemeail_domain.com#EXT#@bcvcz.onmicrosoft.com
- Attribute mail must be send, because value from this attributes is used to sending the invite
- Guest is created only with email and display name other attributes are not used. Can be updated later e.g firstname, lastname
Things to improve:
- Creating invitation need to have filled URL to which user will be redirected after accepting - make it configurable in connector or in mapping?
- Sending mail with invitation is always on. Make it configurable in connector?
- % Done changed from 80 to 90
Connector will perform update right after create operation. The reason for it is that creating via invitation supports only displayName and email.
This way we are able to set additional attributes directly.
One limitation of this solution is. That in most cases it will probably fail.
But it will end in provisioning queue in IdM and when the operation is retried it will correctly perform update.
Other option would be to implement some queue or delay in connector, but I am not sure that, it would be better solution, because create operation would take more time.
- % Done changed from 90 to 100
- Status changed from In Progress to Closed
Also available in: Atom
PDF