Configuring the IdP
For internal users, the IdP must store:
- The user's credentials (for example, user name and password)
For external users, the IdP must store:
- The user's credentials (for example, user name and password)
- Either:
- The list of API roles that are to be granted to the user and the user's resource access IDs, OR
- A lookup value that can be used by the IExpandTokenPlugin plugin to retrieve the user's list of API roles and resource access IDs from an additional authorization application
The IdP must provide its information to Guidewire Hub when it asserts the user's identity.
Configure the IdP for internal users
Before you begin
Procedure
- Configure your IdP so that every internal user is associated with their user credentials (such as user name and password).
-
Configure your IdP so that when an internal user is verified, the authorization
information is asserted using the following attribute names:
- User name is asserted as
pc_username.
- User name is asserted as
Configure the IdP for external users
Before you begin
This procedure is necessarily only when using the external user auth flow. It is not necessary for the service with user context flow, even if the user in the user context is an external user.
For Cloud API to determine a user's endpoint access and resource access, it must know the user's API roles and resource access IDs. Either or both sets of values can be stored in the IdP. Alternately, either or both sets of values can be stored in an additional authorization application. Whenever the values are stored in an additional authorization application, the IdP must still provide some sort of lookup value that the IExpandTokenPlugin plugin can use to retrieve the information from the additional authorization application, such as the user's name as it is known to the additional authorization application.
Procedure
- Configure your IdP so that every external user is associated with their user credentials (such as user name and password).
-
If you store API roles in the IdP, configure your IdP so that it knows all of the API
roles that are assigned to any external user.
- Typically, this is done with IdP groups.
- Each group name must be prefixed with
"
gwa.<planetclass>.pc.", where<planetclass>is set to either "prod", "preprod", or "lower". - After this prefix, each group name must be identical to a Cloud API role name.
- For example, to assign users to an API role named "Account_Holders"
for a production planet, the IdP group must be named
"
gwa.prod.pc.Account_Holders".
- If you store API roles in the IdP, configure your IdP so that every external user is associated with their API roles.
-
If you store resource access IDs in the IdP, configure your IdP so that
every external user is associated with the correct resource access IDs:
- For account holders, this is an array of one or more account numbers.
-
If you store API roles and/or resource access IDs in the IDP, configure your IdP so
that when an external user is verified, the authorization information is asserted using
the following attribute names:
- API roles are asserted as an array named groups.
- Resource access IDs for account holders are asserted as an array
named
pc_accountNumbers.
- If you do not store either API roles and/or resource access IDs in the IDP, configure your IdP so that when an external user is verified, the SAML response includes one or more lookup values that the IExpandTokenPlugin plugin can use to retrieve either API roles and/or resource access IDs from the appropriate additional authorization application. For more information on configuring the IExpandTokenPlugin plugin, see Configuring the IExpandTokenPlugin plugin.