Meet other GoodData developers. Search our knowledge base. Attend live events.

GoodData

Hello,
We deployed <http://GoodData.CN|GoodData.CN> CE and set up an OIDC provider (AAD) to login to the GDCN instance. According to docs we have to <https://www.gooddata.com/developers/cloud-native/doc/2.1/manage-deployment/set-up-authentication/user-management/|map each user to gdcn user>. Is it possible to map all users in general. So every user that logins via the OIDC provider gets automatically mapped to a certain userGroup (or other default relationship)?

the idea is to not call the “map user” api call for every user in OIDC.

no, it's not possible. User entities must exist in <http://GoodData.CN|GoodData.CN> and they must be bound to the corresponding user in identity provider via authenticationId attribute.

Would you consider an option (having "admin" access to OIDC) to fetch all users from the provider, generate declarative users document and put it to our platform? (with our python-sdk)
You could run it regularly and automatically provision/de-provision users.

ok we might consider it although there are more options as well which is good.

one more question - can value of `authenticationId` be a foreseeable string, such as email, for example <mailto:john.doe@mycompany.com|john.doe@mycompany.com>? I don’t see any problem in this, just want to make sure I’m not overlooking something here.

authenticationId is actually driven by the contents of `sub` claim in oauth2 token. So it depends on your Identity Provider, what it sets into this claim.