iCM can be configured to allow users to log in using third party logins rather than a username and password set in iCM. This allows you to connect iCM logins to a range of technologies including ADFS, OpenID Connect and SAML2.
Beta Development
All of the functionality described below is still in beta. We'll be making improvements over the next iCM releases as we get feedback and begin to implement logins more widely. We don't recommend setting this up without talking to us first.
Overview
As well as logging in to iCM using a username and password, you can also use third party identity providers, in the same that that you can for website logins.
When you log into iCM using a third party provider, iCM first creates a website user for you. Your website user is placed in a site group named after the provider (the
Next iCM checks the Site Groups that the website user is a member of. One of those groups must be set as an alias of an iCM user group for the login to work. If there are no aliased groups, the site user will still be created, but the login will fail. iCM's access logs will have an entry for the failed login with further information.
Once an aliased group has been found, one of two things can happen:
- If your website user has been set as an alias of an iCM user, you'll be logged in as that iCM user, in exactly the same way as if you had logged in using the iCM user's username and password
- If your website user is not already an aliased to an iCM user, iCM will create you a brand new iCM user and alias the new website and iCM users together. Your iCM user will be placed in all of the iCM groups that are aliased to website user groups that your site user is a member of
Each time you log in using a website user login, the user groups of your iCM user will be updated to match the aliased groups that the website user is a member of (ie you could be added to new groups or removed from existing groups).
Setup
All of the following need to be in place for third party logins to work.
Enterprise or Subsite Settings
Logins can be enabled in your iCM User Settings and in your Subsite Settings.
The global iCM user settings allow third party logins via the iCM enterprise URL. They can also be inherited by subsites.
At the subsite level, you can choose to use the default global settings, or to create logins specific to this subsite.
To enable a new provider, press "Create". You can then pick a provider that has already been set up in the API Server configuration from the drop-down, which will populate the name and type inputs. Pick "Other" to enter these details manually. The name and type must match a provider to have any effect.
Once enabled, you'll see a new button on the iCM login screen:
The text of this button is fixed. Pressing it will display a list of all of the configured providers:
The text of this button is "Log in with" followed by the
Aliased Groups
iCM Groups can be aliased to a single website user group. When a website user in an aliased group is used as a login, the iCM user that is logged into iCM will be placed into the aliased iCM group. That could be an existing iCM user, or it could be a brand new iCM user, created by iCM, if this is the first time the site login has been used.
A website user must be a member of at least one aliased group to be able to be used as a login.
Aliased Users
Once an iCM user is aliased to a website user, when that site user is used as a login, you'll be logged into iCM as that iCM user.
Currently, existing iCM users have to be manually aliased to website users if you want to enable third party logins for them.
When a third party login is used for the first time iCM will create a website user (as normal for website logins) and a new iCM user, and alias them together. The new iCM user will have the following properties:
- A username based on the user profile fields (in order of preference)
PREFNAME ,FIRSTNAME orGIVENNAMES plus theLASTNAME orFAMILYNAME - A randomly generated password set to expire every day (ie the iCM user isn't meant to be used to log in directly)
- Group membership that matches the aliased groups of the website user
- No privileges or content roots
- An alias to the site user that was used as a login
Supported Functionality
All of the features available to website users is available on the iCM login page. This includes:
- Linking users on login
- Updating profile fields
- Two-factor authentication for the iCM site user provider