Strategy One

Map OIDC Users to Strategy

Strategy Intelligence server uses the OIDC assertion attributes configured in the IdP for authentication. This information is passed from OIDC response to map the logged in user to Strategy users and groups stored in the metadata.

User Mapping

User ID information sent in the OIDC response can be used to map to a Strategy user:

  • User ID: Strategy looks for a match of the Name ID to the User ID of the Trusted Authenticated Request setting.

    This field can be set in Developer by opening User Editor > Authentication > Metadata. You can also set this field in Web Administrator by opening Intelligence Server Administration Portal > User Manager. The Trusted Authentication Login field is found in the Authentication tab when editing a user.

When a match is found in the metadata, Strategy logs the user in as the corresponding Strategy user with all of the correct permissions and granted privileges.

If no match is found, this means the OIDC user does not yet exist in Strategy and will be denied access. You can choose to have OIDC users imported into MicroStrategy if no match is found. See Importing and Syncing OIDC Users below for more information.

Importing and Syncing OIDC Users

New users and their associated groups can be dynamically imported into Strategy during application log in. You can also configure the Intelligence server to sync user information for existing Strategy users each time they log in to an application. The following settings are accessed from the Intelligence Server Configuration > Web Single Sign-on > Configuration window in Developer.

  • Allow user to log on if Web Single Sign-on - Strategy user link not found: Controls access to an application when a Strategy user is not found when checking an OIDC response. If unchecked, Strategy denies access to the user. If checked, the user obtains privileges and access rights of a 3rd Party user and Everyone group.

    • Import user and Sync user are not be available unless this setting is turned on.

  • Import user at logon: Allows Strategy to import a user into the metadata if no matching user is found. The imported user populates all the fields that are used to check user mapping with the corresponding OIDC attribute information.

    All users imported this way are placed in the3rd party users group in Strategy and are not physically added to any Strategy groups that match its group membership information.

    After the configuration is complete, the imported user sees a privilege-related error when trying to access the project. To resolve this issue, a Strategy administrator must add the project access privilege for the imported user in the 3rd Party Users group.

  • Synch user at logon: Allows Strategy to update the fields used for mapping users with the current information provided by the OIDC response.

    This option also updates all of a user's group information and import groups into 3rd party users if matching groups are not found. This may result in unwanted extra groups being created and stored in the metadata.