Introduction
A user population is the grouping together of user directories from different data sources (LDAP, SQL...) with the methods used to identify them.
For example, users from a LDAP and identified via CAS.
Display user populations
In the Users, groups and rights tab, click on the Populations button:
The Populations tool opens. You'll find a list of populations already created:
Add a population
To add a population, click on the New population button in the Populations tab:
A dialog box appears, allowing you to set up your population step by step.
You must first choose a label for the new population. You can also choose an identifier other than the label by clicking on the Advanced button:
Click on the Next button. Now you need to set up the user directory(s) that will make up your population. Depending on the type of directory, you may need to enter different parameters:
For a database user directory SQL, specify :
- the name of the user directory. If the same type of user directory appears several times, this label will be used to differentiate between them. It will be visible in the administration area and in the back office,
- the database to be used,
- the name of the table containing users.
You can create the database link on the fly by clicking on the . More information on data sources here.
|
|
For a directory of users LDAP, specify :
- the name of the user directory. If the same type of user directory appears several times, this label will be used to differentiate between them. It will be visible in the administration area and in the back office,
- the LDAP server to be used,
- the relative DN of the people branch,
- a filter to search for users in the LDAP directory,
- the type of search possible in the LDAP directory (can be Object, One level or Sub tree),
- the name of the attribute containing the user identifier in the search object,
- the name of the attribute containing the user's first name in the search object,
- the name of the attribute containing the user's name in the search object,
- the name of the attribute containing the user'semail in the search object,
- if the email attribute is mandatory,
- whether users should be sorted in search results (by last name then first name). Uncheck this option if the user search is very slow.
You can create the link to the LDAP directory on the fly by clicking on the . More information on data sources here.
|
|
For a Static user directory, specify :
- the name of the user directory. If the same type of user directory appears several times, this label will be used to differentiate between them. It will be visible in the administration area and in the back office,
- users who will be used statically. Enter one user per line, in the format login:lastname:firstname:email. Only the login is mandatory.
|
|
For EntraID mode, specify :
- the name of the identification mode. If the same identification mode is used several times, this label will be used to differentiate between them. Note: it will be visible in the administration area, in the back-office, but also on the login screens (preceded by the words 'Login by'),
- The application identifier obtained when registering the application in EntraID
- The "Tenant" tenant ID, which identifies the organization
- The secret key linked to the application
- A filter if you wish to track only certain users (OData 4.0 syntax)
|
|
To set up multiple user directories, click on the :
Please note that, as indicated in the dialog box opposite, a login must be unique within a user population. If you are using multiple directories, you must ensure that logins do not appear in more than one of these directories.
If you have any doubts about uniqueness, we recommend that you create separate populations.
Once the directories have been set up, click Next, then set the user identification mode(s).
Depending on the identification mode, different parameters may need to be entered:
For query header mode, specify :
- the name of the identification mode. If the same identification mode is used several times, this label will be used to differentiate between them. Note: it will be visible in the administration area, in the back-office, but also on the login screens (preceded by the words 'Login by').
- the value of the request header where the user is located,
- the value by which domains are prefixed.
|
|
For form mode, specify :
- the name of the identification mode. If the same identification mode is used several times, this label will be used to differentiate between them. Note: it will be visible in the administration area, in the back-office, but also on the login screens (preceded by the words 'Login by').
- the security level of the CMS connection form:
- Focus on convenience: autocomplete form fields, memorize password
- Prioritize security: no password memorization, captcha protection
- the database that will store reconnection cookies or the number of failed connections, depending on the security level chosen.
You can create the database link on the fly by clicking on the . More information on data sources here.
|
|
Forautomatic identification mode, specify :
- the name of the identification mode. If the same identification mode is used several times, this label will be used to differentiate between them. Note: it will be visible in the administration area, in the back-office, but also on the login screens (preceded by the words 'Login by'),
- User login.
|
|
For kerberos mode, specify :
- the name of the identification mode. If the same identification mode is used several times, this label will be used to differentiate between them. Note: it will be visible in the administration area, in the back-office, but also on the login screens (preceded by the words 'Login by'),
- the IP address or domain name used to contact the KDC (Key Distribution Center),
- user area on the KDC,
- the user login Ametys authorized on the Active Directory,
- the password of the user Ametys authorized on the Active Directory,
- a regular expression listing the IP addresses authorized to use this authentication. If the server is not in the client's list of 'trusted' websites, HTTP authentication may display a connection window, making the process non-transparent. It is therefore strongly recommended to restrict the use of this authentication to IP addresses whose client browser configuration is under control (generally this concerns machines on the internal network). Examples:
- ^172\..*$: accepts all addresses beginning with '172.
- (^172\..*$)|(^168\..*$)|(^127\.0\.0\.1$): accepts all addresses starting with '172.' or '168.' as well as '127.0.0.1'.
|
|
For browser popup mode, specify :
- the name of the identification mode. If the same identification mode is used several times, this label will be used to differentiate between them. Note: it will be visible in the administration area, in the back-office, but also on the login screens (preceded by the words 'Login by'),
- the name of the authentication domain (or 'Realm').
|
|
For C.A.S. server mode, specify :
- the name of the identification mode. If the same identification mode is used several times, this label will be used to differentiate between them. Note: it will be visible in the administration area, in the back-office, but also on the login screens (preceded by the words 'Login by'),
- theURL C.A.S. server.
- if you wish to request "Proxy-Tickets" (PT),
- if you wish to authorize any proxy. If so, the authorized proxy server chain will be ignored,
- the proxy server chain authorized by C.A.S.,
- if you wish to activate gateway mode. When gateway mode is activated, a user already connected to the C.A.S. will be seamlessly connected to Ametys . Ifurl C.A.S. is not accessible to all users who need to connect to Ametys (on an intranet, for example), this mode should be deactivated, as it could prevent them from accessing the authentication screen (error code 404 or 403).
The Check CAS serverurl button is used to check that theURL specified is valid when attempting to establish a connection.
|
|
For EntraID mode, specify :
- the name of the identification mode. If the same identification mode is used several times, this label will be used to differentiate between them. Note: it will be visible in the administration area, in the back-office, but also on the login screens (preceded by the words 'Login by'),
- The application identifier obtained when the application is registered in EntraID,
- The "Tenant" tenant identifier that identifies the organization,
- The secret key linked to the application,
- If you wish to force the authentication mechanism to display the user selection dialog box,
- If you wish to activate silent authentication.
|
|
To set up several identification modes, click on the :
Click on the Finish button, and your population is created and listed in the Populations tool.
Activate a population
When you create a population, it is automatically activated. In the Populations tool, you can view activated and deactivated populations:
To activate or deactivate a population, select it from the list and click on the Activate population button:
Activate population button if the selected population is active :
Activate population button if the selected population is not active :
Modify a population
To modify a population, select it from the list and click on the Modify button:
Delete a population
It is also possible to delete a population, but only if it is not used by any site.
Select the population from the list, then click on the Delete button:
A confirmation pop-up window is displayed to confirm your choice.