Configuring the IdP
For internal users, the IdP must store:
- The user's credentials (for example, user name and password)
For external users, the IdP must store:
- The user's credentials (for example, user name and password)
- The list of API roles that are to be granted to the user
- The user's resource access IDs
The IdP must provide this information to Guidewire Hub when it asserts the user's identity. This information is used to verify the user's identity and to determine the user's endpoint and resource access.
Note: The IdP is relevant only for the internal user auth flow and external user auth flow. The
service auth flows (standalone service, service with user context, and service with service
account mapping) do not make use of an IdP. When you implement a service flow, there are no
IdP requirements.
Configure the IdP for internal users
Before you begin
Procedure
- Configure your IdP so that every internal user is associated with their user credentials (such as user name and password).
-
Configure your IdP so that when an internal user is verified, the authorization
information is asserted using the following attribute names:
- User name is asserted as
pc_username
.
- User name is asserted as
Configure the IdP for external users
Before you begin
Procedure
-
Configure your IdP so that it knows all of the API roles that are assigned to any
external user.
- Typically, this is done with IdP groups.
- Each group name must be prefixed with
"
gwa.<planetclass>.pc.
", where<planetclass>
is set to either "prod
", "preprod
", or "lower
". - After this prefix, each group name must be identical to a Cloud API role name.
- For example, to assign users to an API role named
"Account_Holders" for a production planet, the IdP group must be named
"
gwa.prod.pc.Account_Holders
".
- Configure your IdP so that every external user is associated with their user credentials (such as user name and password).
- Configure your IdP so that every external user is associated with their API roles.
-
Configure your IdP so that every external user is associated with the correct
resource access IDs:
- For account holders, this is an array of one or more account numbers.
-
Configure your IdP so that when an external user is verified, the authorization
information is asserted using the following attribute names:
- API roles are asserted as an array named groups.
- Resource access IDs for account holders are asserted as an array
named
pc_accountNumbers
.