MicroStrategy ONE

Map OIDC Users to MicroStrategy

MicroStrategy Intelligence server uses the OIDC assertion attributes configured in the IdP for authentication. This information is passed from OIDC response to map the logged in user to MicroStrategy users and groups stored in the metadata.

User Mapping

User ID information sent in the OIDC response can be used to map to a MicroStrategy user:

  • User ID: MicroStrategy looks for a match of the Name ID to the User ID of the Trusted Authenticated Request setting.

    This field can be set in Developer by opening User Editor > Authentication > Metadata. You can also set this field in Web Administrator by opening Intelligence Server Administration Portal > User Manager. The Trusted Authentication Login field is found in the Authentication tab when editing a user.

When a match is found in the metadata, MicroStrategy logs the user in as the corresponding MicroStrategy user with all of the correct permissions and granted privileges.

If no match is found, this means the OIDC user does not yet exist in MicroStrategy and will be denied access. You can choose to have OIDC users imported into MicroStrategy if no match is found. See Importing and Syncing OIDC Users below for more information.

Importing and Syncing OIDC Users

New users and their associated groups can be dynamically imported into MicroStrategy during application log in. You can also configure the Intelligence server to sync user information for existing MicroStrategy users each time they log in to an application. The following settings are accessed from the Intelligence Server Configuration > Web Single Sign-on > Configuration window in Developer.

  • Allow user to log on if Web Single Sign-on - MicroStrategy user link not found: Controls access to an application when a MicroStrategy user is not found when checking an OIDC response. If unchecked, MicroStrategy denies access to the user. If checked, the user obtains privileges and access rights of a 3rd Party user and Everyone group.

    • Import user and Sync user are not be available unless this setting is turned on.

  • Import user at logon: Allows MicroStrategy to import a user into the metadata if no matching user is found. The imported user populates all the fields that are used to check user mapping with the corresponding OIDC attribute information.

    All users imported this way are placed in the3rd party users group in MicroStrategy and are not physically added to any MicroStrategy groups that match its group membership information.

    After the configuration is complete, the imported user sees a privilege-related error when trying to access the project. To resolve this issue, a MicroStrategy administrator must add the project access privilege for the imported user in the 3rd Party Users group.

  • Synch user at logon: Allows MicroStrategy to update the fields used for mapping users with the current information provided by the OIDC response.

    This option also updates all of a user's group information and import groups into 3rd party users if matching groups are not found. This may result in unwanted extra groups being created and stored in the metadata.