Alternate Authentication

When user accounts are managed externally via an Identity Provider (IdP), a corresponding user is created in STEP to synchronize with the IdP user. By default, the STEP user ID shares the same value as the IdP externally maintained ID. However, externally maintained IDs can exceed the 40-character limit enforced by the STEP user ID parameter, preventing synchronization based on STEP user ID. Configuring alternate authentication in STEP allows you to use an external ID and enables STEP to authenticate with your IdP (e.g., Keycloak) without ID length constraints.

Consider the following when using alternate authentication:

  • Creating users - With alternate authentication, users synchronized from the external IDP are created based on the unique key value provided and their STEP ID is autogenerated. However, for all other creation methods (in the workbench, via STEPXML import, or via REST API V2 'PUT' resource), STEP ID is mandatory.

  • Updating users - REST API V2 supports getting or updating user info using the user key instead of STEP ID. Refer to the REST API V2 section of the Technical Documentation accessible at [system]/sdk or from the Resources section of the system's Start Page.

For example, Active Directory (AD) assigns each user a unique User Principal Name (UPN), which can be used to identify the user on STEP. A UPN may be the user's email address (e.g., Alexandriana.Westmoreland@acmecorporation.com) or may include a UUID (e.g., Joe.Lee@acmecorporation.com.e80cc70f-4a6a-44fa-8041-4d15c63a0766).

When all IdP configuration and the STEP configuration outlined in this topic is complete, a link to use the external ID is displayed on the Start Page below the 'IDP managed user login' heading as shown below:

Within STEP Workbench, a user that is configured to use an external ID, displays as follows:

  • ID - An automatically generated UUID.

  • External ID description attribute ('UserExternalID' in this image) - displays the ID assigned by the IdP, potentially the UPN. This value is required to access STEP.

Configuration

To access STEP using an external ID, complete the following configuration:

  1. Create an externally maintained description attribute valid for User objects to hold the alternate ID as defined in the Creating Attributes topic. Set the Attribute Validation parameters to comply with the restrictions of the IdP, including Validation Base Type and Maximum Length. For additional information, refer to the Description Attributes topic.

  2. Create a key to ensure ID uniqueness as defined in the Creating and Deleting Keys topic.

  3. Activate the key as defined in the Activating and Deactivating Keys topic.

  4. In the Stibo Systems Service Portal, submit a ticket to request setting the OAuthSSO.UserIdentification.KeyID configuration property, and provide the ID of your newly created Key for the external ID.