Configure Groups for External Login
This page is for PhixFlow administrators who want to integrate PhixFlow authentication with an external login system. It describes how to configure the external login groups in System Configuration and how to map external user groups to PhixFlow's User Groups. See Active Directory or SAML / Single Sign-on for details about configuring external login.
Overview
PhixFlow can be configured to allow external logins, where users are authenticated by external servers i.e. the user's credentials (username/password) are maintained on external servers and PhixFlow delegates to those external servers to check whether the user's credentials are valid. Currently we support Active Directory and SAML / Single sign-on.
In order to login to a PhixFlow instance, an external user must have an external group that matches the PhixFlow instance's external login group, which is set in System Configuration.
When an external user logs in, PhixFlow creates a minimal user account for them, including:
- their user name
- a default locale, copied from the System Configuration → General Settings → System Locale.
See Also
- System Configuration
- User Administration
- For information about configuring external login
Using External User Templates
Optionally, you can create one or more external user templates to set additional defaults for the user account that PhixFlow. For example, you can specify whether or not the user opens PhixFlow in App Mode or Design Mode. You can also set a default application for the user; see External User Template.
User Groups and Privileges
In PhixFlow local users are manually added to user groups. A user's privileges depend on the user groups to which they belong. For external users, their privileges depend on how you map the user groups in the external system (e.g. their Active Directory groups) to PhixFlow user groups; see Managing User Groups and Privileges
Multiple PhixFlow Instances
Where you have multiple PhixFlow instances (e.g. test v. prod) we recommend the use of group names that contain the instance name e.g. phixflow_test_designer and phixflow_prod_designer. This will allow you to have users who have different access rights in different instances.
Configure the Login Groups
Go to the External Login section of System Configuration.
Set the External Login Groups field to a semi-colon-separated list of external group names. An external user having any one of the external groups listed will be allowed to login.
You can use {instance} to include the PhixFlow instance name.
Examples
Assume the PhixFlow Instance is set to 'TEST'.
| External Login Groups | Description |
|---|---|
| phixflow_login | Any user with the external group phixflow_login will be allowed to login. |
| phixflow_admin;phixflow_{instance}_login | Any user with the external group phixflow_admin or the group phixflow_test_login will be allowed to login. |
Configure the User Groups
Users who authenticate to PhixFlow via an external provider, such as SAML or Active directory, are external users.
When an external user logs into PhixFlow, the external groups to which they belong are mapped to PhixFlow user groups. You configure this mapping in the user group properties by specifying Basic Settings → External Login Group. You can use {instance} to include the PhixFlow instance name.
The external groups for mapping are:
- for Active Directory: the Active Directory Groups; see Configure Active Directory Integration
- for SAML login: the value of the groups attribute configured for SAML login; see Configure AD/ AAD Integration via SAML.
When an external user logs into PhixFlow, they are assigned to the mapped PhixFlow user group.
It is not necessary to map all of a user's external groups to PhixFlow user groups. For each user, any external groups that are not mapped are simply ignored.
Examples
Assume:
- the System Configuration External Login Group is set to pf_login
- the System Configuration instance is set to test
- the following User Groups are configured:
| User Group | External Login Groups |
|---|---|
| Administrator | pf_admin;pf_{instance}_admin |
| User | pf_user;pf_tester |
Jane is in external groups user, pf_login, pf_user and pf_admin: Jane is considered to be in both user groups.
Tim is in External groups administrator, user, pf_login and pf_tester: Tim is considered to be in the User user group only.
Max is in the external groups pf_user, user and manager: Max is not allowed to login as he doesn't have the External Login Group.
John is in the External groups administrator, user, and pf_login: John is allowed to login but will not be considered to be a member of any user group.