Akumen Users, Roles & OIDC

Users

When users are created automatically, they are in effect linked to the OIDC provider via the email address. This way, any users already in an Akumen tenancy can be converted from a local user to an OIDC user by simply ensuring the email address matches the OIDC provider’s email address, and setting the IsExternallyAuthenticated flag to true (note that this flag is only available for OIDC clients).

This also means that users can be created without the flag set, meaning an admin user for the tenancy can still login without being authenticated against the OIDC provider.

Roles

Where roles are returned from the OIDC as claims, and the user attempts to login, all role membership for that user are cleared from Akumen. Akumen then looks at the Auth Group Name field in the role to attempt to match the claim with an Akumen role. If the returned claim matches an Akumen role via the Auth Group Name field, the user is then added to the role. If no roles are configured, the user will be denied access to Akumen.

If there are no roles returned in the claims by the provider (eg Google), Akumen will use it’s own internal roles.