The User Import Process adds users to the Workcloud Communication System, populating them in the correct site during sign-in and usage. Ad-Hoc Provisioning is intended for Transient Users authenticated against the IDP and not included in the User File Import Process to be dynamically added to the system.
This capability is provided through the User’s IDP-Login Process, through the implementation of a Launcher App, and successfully authenticating and receiving an access token. The Launcher app is responsible for passing token information to the Profile Client. In conjunction with information available in the Profile Client, the claims set in the JWT Access Token may have additional information to better refine the User’s Provisioning detail to be added to a site on the fly.
The Access Token should include the following information. If this information is not in the token, then default values configured in the PFM Proxy are used.
Firstname
Lastname
UserRoleLevel
Userroles
OauthName
Authentication Method
ForceLogout
The UserName, Site ID, PFM Proxy URL, and the PFM Proxy API key exist in payload from Profile Client running on the mobile device. The additional required information to dynamically add the user is extracted from the JWT Access Token. The Sticky element does not apply for the Transient User and is logically ‘no’. Meaning at the User Import job, the Transient user is removed from the PTT Pro site.
To support dynamic Ad-Hoc User Provisioning, based on the user details in the access token, the users are created in Profile Manager and PTT Pro. Field names in the access token may be different from the column header names in the usermap csv file. The following attributes mapping is used to transform the JWT Access Token attributes to usermap column header attributes.
Access Token Attributes
userKey | tokenKey | Description |
firstName | fname | If empty, the value is set the "UserName". |
lastName | lname | If empty, the value is set the "UserName". |
uswerRoleLevel | rolelevel | Default Value: <empty> |
UserRoles | role | Default Value: admin |
oauthName | sub | If empty, the value is set the "UserName". |
authenticationMethod | auth | Default Value: OAUTH2s |
forceLogout | flogout | Default Value: True |
objectClass | objectclass | Default Value: person |
It is important for the Integration Consultant to provide Zebra with appropriate and meaningful default values for elements missing in the Access Token.
When working with Access Tokens, two tools are helpful to extract and decrypt the token. Postman can be downloaded from
https://www.postman.com/ and provides the ability to collect a token. Then the Access Token can be decoded by browsing to
https://jwt.io and pasting the token into the interface.
The following is a sample of additional information provided in an Access Token.. The token claims area displays the claim information for the User are shown in the example below:
{
"scope":"openid profile email",
"sid"
In the PFM Proxy configuration, there is a table to be populated with the elements retrieved from the Access Token.
ENERAL_USERATTRIBUTESLIST_0_USERKEY: FirstName
GENERAL_USERATTRIBUTESLIST_0_TOKENKEY: given_name
GENERAL_USERATTRIBUTESLIST_1_USERKEY: LastName
GENERAL_USERATTRIBUTESLIST_1_TOKENKEY: family_name
GENERAL_USERATTRIBUTESLIST_2_USERKEY: UserRoleLevel
GENERAL_USERATTRIBUTESLIST_2_TOKENKEY: rolelevel
GENERAL_USERATTRIBUTESLIST_2_DEFAULTVALUE: ""
ENERAL_USERATTRIBUTESLIST_3_USERKEY: Userroles
GENERAL_USERATTRIBUTESLIST_3_TOKENKEY: role
GENERAL_USERATTRIBUTESLIST_3_DEFAULTVALUE: "
GENERAL_USERATTRIBUTESLIST_4_USERKEY: OauthName
GENERAL_USERATTRIBUTESLIST_4_TOKENKEY: email
GENERAL_USERATTRIBUTESLIST_4_DEFAULTVALUE: ""
GENERAL_USERATTRIBUTESLIST_5_USERKEY: AuthenticationMethod
GENERAL_USERATTRIBUTESLIST_5_TOKENKEY: auth
GENERAL_USERATTRIBUTESLIST_5_DEFAULTVALUE: “OAUTH2”
GENERAL_USERATTRIBUTESLIST_6_USERKEY: ForceLogout
GENERAL_USERATTRIBUTESLIST_6_TOKENKEY: flogout
GENERAL_USERATTRIBUTESLIST_6_DEFAULTVALUE: "TRUE"
As shown in this table, for each of the 7 attributes the
UserKey
field must match with csv column header in the User Import file. (This field is case-sensitive). This is also the string value entered in the configuration for Profile Manager and PTT Pro Transformations configuration.
The
TokenKey
is the element name for the attribute in the Access Token.
The
DefaultValue
element is the value which is inserted into the
UserKey
field if the Token does not provide the information.
