Overview
This article describes identity management settings. You can use identity management to control authentication and authorization in your Code42 environment. These settings are only available in Code42 cloud environments.
Considerations
Definitions
Authentication
Authentication provider settings enable you to use a third-party application to authenticate users in the Code42 environment. For example, use these settings to configure a provider for single sign-on authentication.
To view the authentication provider settings:
- Sign in to the Code42 console.
- Go to Administration > Integrations > Identity Management.
- Select Authentication.
Add authentication provider
From the Authentication tab, click Add authentication provider.
Item | Description | |
---|---|---|
a | Display Name | Sets the name of your organization's authentication provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the Code42 agent and Code42 console. |
b | Provider's Metadata |
Sets the format for the authentication provider's metadata. Choose either to enter a URL or upload an XML file. |
c | Enter URL or Upload XML File |
Enter URL: Sets the URL for the standalone identity provider or identity federation metadata file. The Code42 cloud must be able to access this URL. Upload XML File: Uploads the XML file.
|
Authentication provider
The following screen appears when you configure a standalone identity provider.
Item | Description | Click to: | |
---|---|---|---|
a | Display name | Displays the name of your authentication provider. | |
b | Actions |
Menu with the following actions:
|
|
c | Code42 Service Provider Metadata URL |
Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s).
To view the contents of the metadata XML file, open the link in a web browser. The file contains Code42 URLs needed by your service provider to connect to Code42, including URLs to the server, entity ID, and Assertion Consumer Service (ACS). |
View the metadata XML file. |
d | Attribute mapping |
Maps Code42 usernames to the provider's name identifier or a custom attribute. |
Edit attribute mappings. |
e | Organizations in Use |
Displays the organizations that use this provider as the authentication method.
You can also manage the organizations that use this authentication provider from organization settings. |
Change organizations that use the authentication provider. |
f | SAML attributes | Displays the SAML context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use. | Set the SAML attributes. |
g | Local users |
Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.
Local users cannot be managed with provisioning. |
Add users to the list. |
Federation
A federation is a group of organizations that have formed trusts. With federations, the identity provider simply shares a token with the service provider to authenticate a user instead of supplying the user's credentials. When you enter the metadata URL, Code42 automatically detects if the metadata belongs to a federation or a single provider. If it is a federation, you are automatically directed to the federation details configuration page.
Item | Description | |
---|---|---|
a | Display name | Displays the name of your authentication provider. |
b | Actions |
Menu with the following actions:
|
c | Attribute mapping |
Maps Code42 usernames to the provider's name identifier or a custom attribute. |
d | Edit |
Edits the attribute mappings.
In the resulting Attribute Mapping dialog, select the Use default mapping check box to use the default attribute mappings. Deselect the check box to enter your own values. |
e | Federated Identity Providers | Lists all of the Federated Identity Providers that have been added for this federation. Click the name of the provider to view the details. |
f | Add | Adds a new federated identity provider. |
g | Local users |
Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.
Local users cannot be managed with provisioning. |
Add an identity provider to this federation
Item | Description | |
---|---|---|
a | Select a Provider URL | Selects an identity provider from the list of available providers. Begin typing to search for the correct provider. |
b | Display Name | Sets the display name for the identity provider |
Federated identity provider details
To view the identity provider details, click the identity provider's name under the Federation details.
Item | Description | |
---|---|---|
a | Display name | Displays the name of your authentication provider. |
b | Actions |
Menu with the following actions:
|
c | Code42 Service Provider Metadata URL | Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s). |
d | Attribute Mapping |
Maps Code42 usernames to the provider's name identifier or a custom attribute. |
e | Edit |
Edits attribute mappings.
In the resulting Attribute Mapping dialog, select the Inherit from federation check box to inherit the attribute mappings from the federated authentication provider. Deselect the check box to enter your own values. |
f | Organizations in Use | Displays the number of organizations that use this provider as the authentication method. |
g | SAML attributes | Displays the SAML context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use. Click the edit button to set the SAML attributes. |
h | Local Users |
Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.
Local users cannot be managed with provisioning. |
Provisioning
Provisioning provider settings allow you to connect to a third-party application where your users are stored, and automatically add them to Code42. To view the provisioning provider settings:
- Sign in to the Code42 console.
- Select Administration > Integrations > Identity Management.
- Select Provisioning.
Add Provisioning Provider
To view, go to Provisioning, then click Add Provisioning Provider. Choose either Add SCIM Provider or Add Code42 User Directory Sync.
The following dialog appears when you select Add SCIM Provider.
Item | Description | |
---|---|---|
a | Display Name | Sets the name for the SCIM provider or Code42 User Directory Sync. |
b | Authentication Credential Type |
Sets the type of credential authentication to use:
|
Credentials
After you enter a username for the provisioning provider, the credentials appear. Your provider may require some or all of these credentials to create a service account for syncing between your directory and Code42.
Item | Description | |
---|---|---|
a | Base URL | The URL for interacting with the Code42 provisioning API. |
b | Username | Username for the service account. |
c |
Password or Token |
Password or token for the service account. Which appears appears depends on whether you selected API Credentials or OAuth token in the Add SCIM Provisioing Provider dialog box.
This password or token appears only once, so save it in a secure location. |
SCIM provisioning provider
Appears when configuring a SCIM provisioning provider.
Item | Description | Click to view | |
---|---|---|---|
a | Name | Displays the name of your provisioning provider. | |
b | Actions |
Menu with the following actions:
|
|
c | Provider Credentials |
Displays user credentials. This user performs directory sync between your provider and Code42. These credentials are used by the provisioning provider.
|
|
d | Regenerate Credentials |
Regenerates credentials, either API credentials or an OAuth token. The regenerated password or token appears on the SCIM Provider Updated dialog. Copy the newly-generated password or token to the SCIM provisioning provider.
Credentials were originally generated when you added the SCIM provisioning provider. You may need to regenerate credentials in certain circumstances, such as when a new administrator takes over management of the SCIM provisioning provider in Code42. |
|
e | Deactivation Delay |
Displays the amount of time Code42 waits to deactivate a user once the provider has sent the update. The maximum deactivation delay is 90 days.
Deactivation of users on legal hold
|
|
f |
Edit |
Edits the deactivation delay setting. | |
g |
Organization Mapping
|
Displays how Code42 assigns organizations to users who are added from the provisioning provider.
Only configurable for SCIM provisioning providers. |
|
h |
Edit |
Change how Code42 maps provisioned users. Choose between the following mapping methods:
|
Organization Mapping Method |
i |
Organization name |
Displays a Code42 organization or the Add Mapping button. |
|
j | Role Mapping | Displays how roles are mapped from the provisioning provider to Code42. | |
k | Edit |
Change now roles are mapped from the provisioning provider to Code42. Choose:
|
Edit Role Mapping |
l |
Edit mapped roles
or
SCIM provisioning providers only |
Maps Code42 roles and permissions to groups.
|
Add Role Mapping |
Code42 User Directory Sync only |
Select roles to be managed by the Code42 User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the Code42 console.
See the Roles reference for more information on each role. |
View a list of roles within your Code42 environment |
Edit Organization Mapping Method for SCIM provider
To view organization mapping methods, select the edit icon next to Organization Mapping.
Single organization
Assigns all users to the same Code42 organization. If you choose this option, create organizations in the Code42 console before you begin.
Example use case
Use this option if you manage users in the Code42 console. For example, all users that are provisioned from the provisioning provider are added to the same organization. You can then move the users from that single organization to additional organizations in the Code42 console.
Item | Description | |
---|---|---|
a | Create new users in the organization below | Code42 assigns new users to the selected organization. |
b | Select an organization | Select the organization where you want to place new users. |
"C42OrgName" attribute
The "c42OrgName" attribute creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName. This value becomes the name for the Code42 organization. This attribute is managed on the provisioning provider.
Example use case
Use this method if you want to manage users in the provisioning provider (and not in the Code42 console). The value for this attribute becomes the name for the Code42 organization. Code42 creates new organizations or assigns users to existing organizations based on the value.
Item | Description | |
---|---|---|
a | Map users to organizations based on the provider's "c42OrgName" attribute | Code42 assigns users to the selected organization using the "c42OrgName" attribute. |
b | Select an organization | Select the organization where you want to place unmapped users. |
SCIM group
Assigns users to Code42 organizations based on their SCIM group. If you choose this option, create organizations in the Code42 console before you begin.
Example use case
Use this mapping method if your users are already assigned to SCIM groups. For example, a user is part of a two different SCIM groups: an executive group and a UK group. You want this user's backup policies to match the other executives in your company, so this user should be assigned to the same Code42 organization as the other executives. In the Code42 console, you can choose the executive group to take priority over the UK group. This way you can place all of the executives in your company in the same organization and ensure they have the same backup policies.
Item | Description | |
---|---|---|
a | Map users to organizations using SCIM groups. |
Code42 assigns users to the selected organization based on SCIM groups. To use this option, SCIM groups must first be sent to Code42 (for example, using the
After you click Save, click Add Mapping to map roles to Code42 groups. |
b | Select an organization | Select the organization where you want to place unmapped users. |
Add Mapping
To view, click Add Mapping. Use Add Organization Mapping to map SCIM groups to Code42 organizations. To use this option, SCIM groups must first be sent to Code42 (for example, using the /Groups
API resource in the SCIM protocol).
Item | Description | |
---|---|---|
a | Select a SCIM group | Displays all the SCIM groups that your provider has sent to the Code42 console. Only groups that have not been mapped appear in this list. |
b | Select a Code42 organization | Displays the organization tree for your Code42 console. |
Edit Role Mapping
To view, select the edit icon next to Role Mapping.
Item | Description | |
---|---|---|
a | Manually | Assign roles manually in Code42. Roles are not mapped from the provisioning provider. |
b | Map SCIM groups to Code42 roles |
Map the SCIM groups in the provisioning provider to roles in Code42. To use this option, you must first send SCIM groups to Code42 (for example, using the
If SCIM group are not sent to Code42, the "There are no SCIM groups available" message displays. After sending the SCIM groups, an Add Role Mapping button displays. |
Add Role Mapping
To view, click Add Role Mapping.
Item | Description | |
---|---|---|
a | Select a SCIM group | Displays all the SCIM groups that have been pushed to your Code42 console (for example, using the /Groups API resource in the SCIM protocol). Only groups that have not been mapped appear in this list. |
b | Select a Code42 role | Displays a list of all the Code42 roles. Learn more about Code42 roles and permissions below. |
Code42 User Directory Sync
Appears when configuring Code42 User Directory Sync.
Item | Description | Click to view | |
---|---|---|---|
a | Name | Display name for this User Directory Sync instance | |
b | Actions |
Menu with the following actions:
|
|
c | Provider Credentials |
Displays user credentials. This user performs directory sync between your provider and Code42.
Click Regenerate password to create a new password if needed for the user. If you generate a new password for the user, you must also run the |
|
d | Deactivation Delay |
Displays the amount of time Code42 waits to deactivate a user after a synchronization is run. The maximum deactivation delay is 90 days. Click the edit icon to change the length of time to delay deactivation.
Deactivation of users on legal hold
|
|
e |
Organization Mapping
|
Disabled within the Code42 console. To configure how users are mapped to Code42 organizations, use the Org script in the Code42 User Directory Sync Tool. |
|
f | Edit | Change how Code42 maps provisioned users to organizations. | Edit Organization Mapping Method |
g |
Role Mapping |
Displays which roles the User Directory Sync automatically updates. |
|
h | Edit |
Enable a method for mapping roles to users. Choose either Manually or Select roles from the Code42 User Directory Sync.
|
Edit Role Mapping |
i | Select Roles |
Select roles to be managed by the Code42 User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the Code42 console. See the Roles reference for more information on each role. |
View a list of roles within your Code42 environment. |
Edit Organization Mapping Method for User Directory Sync
To view organization mapping methods, select the edit icon next to Organization Mapping.
Create new users in an existing Code42 organizationn
Assigns new users to the same Code42 organization and does not map new users based on the User Directory Sync org script. If you choose this option, create organizations in the Code42 console before you begin.
Example use case
Use this option if you want to manage new users in the Code42 console. All users that are provisioned from User Directory Sync are added to the same organization. You can then move the users from that single organization to additional organizations in the Code42 console.
Item | Description | |
---|---|---|
a | Create new users in the organization below and do not map users based on the User Directory Sync's org script | Code42 assigns new users to the selected organization. |
b | Select an organization | Select the organization where to place new users. |
User Directory Sync org script
Assigns users to organizations based on the User Directory Sync org script.
Example use case
Use this method if you want to manage users in the User Directory Sync (and not in the Code42 console). Code42 creates new organizations or assigns users to existing organizations based on the org script.
Item | Description | |
---|---|---|
a | Map users to organizations based on the User Directory Sync's org script | Code42 assigns users to the selected organization using the User Directory Sync org script. |
b | Select an organization | Select the organization where you want to place unmapped users. |
Select roles
To view, go to the Provisioning, and click Select Roles. This is a security measure to prevent users from elevating their privilege within Code42 environment.
Item | Description | |
---|---|---|
a | Choose Roles | Displays all of the roles available in your Code42 environment. To learn more about what the permissions, limitations, and example use cases for each role, see the |
b | Enable or disable role |
Enable or disable roles from automatic provisioning.
|
Apply organization and role settings
Should you need to change organization and role settings and want them to be applied to all provisioned users in Code42 immediately, use the Apply Org and Role Settings option in the action menu of the target provisioning provider.
Applying the organization and role settings to all provisioned users with the Apply Org and Role Settings option could be a destructive action because organization assignment changes may impact your currently provisioned user's archive configurations. Both organization and role settings are applied simultaneously and complete asynchronously.
Steps
To apply organization and role changes to either a SCIM provisioning provider or a Code42 User Directory Sync provisioning provider, complete the following:
- Sign in to the Code42 console.
- Go to Administration > Integrations > Identity Management > Provisioning.
- Select a provisioning provider.
- Choose Actions > Apply Org and Role Settings.
- Click Apply.
It may take up to one hour for the changes to be applied to all affected users.
Apply settings for organizations and roles mapped with SCIM groups
In order to map SCIM groups to Code42 organizations or roles, you must first push those SCIM groups to Code42 so they are available for mapping. You can do this by provisioning the users in their groups (or by using a push method such as the /Groups
API resource in the SCIM protocol). However, this means that initially the users are placed in the default organizations and roles rather than the ones you want to map them to.
To move users to the correct organizations and roles, map your organizations and roles and then apply the mappings:
- Provision users with their groups. Although this places the users in default organizations and assigns default roles, it also pushes the SCIM groups to Code42 so they appear in the Code42 console.
- Now that the SCIM groups appear in the Code42 console, you can use them to configure organization mapping and configure role mapping.
- Run Apply Org and Role Settings to apply the newly configured organizations and role assignments to the already-provisioned users. Users are moved to the correct organizations and roles.
Use cases
See the following sections for situations where applying mappings may be useful.
SCIM provisioning provider
Ensure you've configured the organization and role mappings in the provisioning provider details page before applying mappings with the Apply organization and role settings dialog.
Organization mapping
You have configured your identity provider to provision the "c42OrgName" user attribute. Apply mappings when:
- You have recently configured the Code42 mapping method to use "C42OrgName" and would like to move all existing provisioned users to their "c42OrgName" organization.
- You have manually moved users into other organizations and would like them moved back to their "c42OrgName" organization.
You have configured your identity provider to provision user group information. Apply mappings when:
- You have recently configured the Code42 mapping method to use SCIM groups and would like to move all existing provisioned users in manually assigned organizations to their mapped organization.
- You have manually moved provisioned users into other organizations and would like them moved back to their mapped organization.
- You have updated the SCIM group mappings and would like existing provisioned users to be moved into their newly mapped organizations immediately.
Role mapping
You have configured your identity provider to provision user group information. Apply mappings when:
- You have recently configured the Code42 mapping method to use SCIM groups and would like to move all existing provisioned users in manually assigned roles into newly mapped roles.
- You have manually assigned roles to provisioned users and would like them re-assigned to their mapped roles.
- You have updated the SCIM group mappings and would like existing provisioned users to be assigned into their newly mapped roles immediately.
Code42 User Directory Sync
You should run a full sync to reprovision all users to Code42 using the Code42 User Directory Sync rather than applying organization and role mappings. However, in some cases, accessing the Code42 User Directory Sync or running a full sync may not be an option. In those cases you can apply mappings with the Apply organization and role settings dialog.
Organization mappings
- You had previously configured mapping to use the org script, but recently updated the Code42 mapping method to use the "User Directory Sync Org Script". Apply mappings when you would like to move all existing provisioned users in their manually assigned organizations to the scripted organization.
- You have mapping configured to use the "User Directory Sync Org Script", but later manually moved provisioned users into other organizations. Apply mapping changes to move users back to their scripted organization.
Role mappings
You have configured the User Directory Sync role script to provision user's roles information. Apply mappings when you have updated the role allowlist and would like update provisioned users accordingly.
Sync Log
The sync log displays all of the updates made to your Code42 environment from the provisioning provider.
To view the Sync Log:
- Sign in to the Code42 console.
- Select Administration > Integrations > Identity Management.
- Click Sync Log.
As of September 22, 2021, the Sync Log retains data for only 90 days. If you want to retain Sync Log data older than the last 90 days, you must export the data before September 22, 2021. After that date, to retain Sync Log data older than 90 days, export the data on a regular basis and keep it in your own storage systems. For more information, see Export Sync Log data.
Item | Description | Click to view | |
---|---|---|---|
a | Date selector | Selects the timeframe for which logs to display. | Click to view a calendar date picker. |
b | Refresh Table | Retrieves the most recent synchronization changes. | Click to view the latest log entries. |
c | Export CSV | Exports all of the sync logs to a .CSV file. Use this option to filter the logs further. | Click to start downloading a CSV file. |
d | Provider | Displays the provider that made the update. | Click to sort. |
e | User Impacted | Displays the Code42 username. | Click to sort. |
f | Change type |
Displays how the user was changed. Change types are:
|
Click to sort. |
g | Attribute changed |
Displays what part of the user changed. Attribute changes can be to:
|
Click to sort. |
h | New Value |
Displays the new value for the attribute that was changed.
Note: Organization attribute values include the orgId, and Manager attribute values include the userId. |
Click to sort. |
i | Old value | Displays the old value for the attribute that was changed. | Click to sort. |
j | Date changed | Displays the date the change occurred. | Click to sort. |
In addition to appearing in the Sync Log, updates resulting from provisioning also appear in the Audit Log. For example, newly-provisioned users appear in the Add user event type, users deactivated by provisioning appear in the Deactivate user event type, and provisioned user attributes changes appear in the External attributes change event type.
Whenever the acting user in an Audit Log event is a SCIM provisioning system, the username of the acting user in the event appears as the provisioning provider Username credentials from Code42 (for example, "okta_1234@cloud.code42.com").
External resources
-
Gartner: Federated Identity Management