Group Synchronization
One-way synchronization of group memberships can be enabled upon user
login. Group synchronization is a 1:1 mapping unless you enable mapping
one IdP group name to multiple LogScale groups. Activate the ability to
map to multiple groups with the feature flag
OneToManyGroupSynchronization
.
Group synchronization works as follows:
If multiple group mapping is not enabled, and the group name in LogScale is the same as the group name in that IDP, then users will be mapped to that group automatically. LogScale maps a group name to the first LogScale group in the organization which has a matching
lookupName
ordisplayName
.If multiple group mapping is enabled with
OneToManyGroupSynchronization
, LogScale will map a group name to all LogScale groups in the organization that have a matchinglookupName
ordisplayName
.If a group has a
lookupName
, thenlookupName
is used for matching when doing group synchronization. If it does not have alookupName
,displayName
is used instead. This means that if you try to synchronize with some external group named "A", and you have a group in LogScale with displayName="A" and lookupName="B", this will not match. Both names are not considered when matching;displayName
is used as an alternate in case there is nolookupName
.Enabling
OneToManyGroupSynchronization
for a single organization fails if there are any groups within the organization that either have identical lookup names or have display names that are identical to another group'slookupName
. This is to make sure that users are aware that enabling the feature can result in users potentially getting assigned to additional groups. For information about how to enableOneToManyGroupSynchronization
for a single organization, see enableFeatureForOrg() .Enabling
OneToManyGroupSynchronization
for the cluster performs the verification described above for all organizations on the cluster and the error message will state which organizations failed the validation and for which group names. For information about how to enableOneToManyGroupSynchronization
for a cluster, see enableFeature()In case enabling fails the aforementioned validation, the user can either choose to modify their groups so there are no longer any duplicates, or they can call the GraphQL mutation to enable the feature with
skipVerification
set to true to allow duplicate groups.
In order to map a group name from an external system such as LDAP to a LogScale group specify a Mapping name in the External provider tab:
Figure 55. Group Synchronization
When a user who is a member of the above LDAP group logs in to LogScale, they will be a member of the LogScale group that defines the mapping. In the current version of LogScale a user will remain a member of the LogScale groups from the last login until they log in again with a new set of groups.
Note
Once a user's group membership has been synchronized in LogScale, deleting it in the LDAP external provider will not take effect in LogScale.
For specific instructions on how to setup group synchronization for the different authentication mechanisms go to the Configuring Security overview page and select a relevant entry.