Synchronization of External Users

When a user is authenticated by an external authority, JasperReports Server initializes its session principal object that contains the username, role names, and organization ID, if necessary, of the external user. The ExternalDataSynchronizer uses this information along with the optional organization ID to automatically update or create the corresponding structures in the internal database:

If there is no organization with the user’s organization ID in the internal database, that organization is created. Organizations are created with the templates currently defined in the repository. In the case of LDAP authentication, organization hierarchies are created for the users.
Roles can be mapped to external or internal roles.
     When mapping a role to an external role, the role name is compared to existing external roles. If the role does not exist, it is created as an external role. See Synchronization of Roles for details about role creation.
     When mapping a role to an internal role, the role name is compared to existing external roles. If the role does not exist, it is created as an internal role. In addition, you can choose to create a role at the root level, which gives administrative permissions, or at the organization level, which restricts access to the organization. See Synchronization of Roles for details about role creation.
The user ID is compared to those of existing user accounts in the internal database. If an organization ID is specified, only the user IDs in that organization are checked.
     If the user account exists, its list of assigned roles is synchronized as described in Synchronization of Roles. The user ID can match either a previously synchronized external user or an internal user created by an administrator. If the external user name and organization ID match those of an internal user, authentication fails; an administrative user has to resolve the situation manually.
     If the user does not exist, an external user account is created. If an organization ID is specified, the account is created within that organization. Finally, all of the external roles along with any configurable default internal roles are assigned to the new user account.

For more information about organizations, roles, and user accounts, see the JasperReports Server Administrator Guide.

A user account created for an external user has the same structure as an internal user account but differs in the following ways:

A database flag marks it as externally defined.
The full name of the user is the same as the user ID, which is always the same as the login name entered by the user.
The external user account does not store the password.
It does not have any values for the optional properties of a user, such as the email or profile attributes. The default implementation of external authentication does not populate these properties. These properties can be manually populated by an administrator.

An external authority such as LDAP contains information such as the user’s full name, email address, and profile attributes that can be mapped into the external user account. However, this requires customizing the mapping and synchronization beans. See Advanced Topics.

After synchronization, the external user fits in coherently with all the structures and mechanisms of JasperReports Server, in particular those required to verify authorization. However, user management by a JasperReports Server administrator is restricted to the ability to disable an external account to prevent an external user from logging in in the future. An external user can not account be used for logging in when the external authority is offline; external accounts do not store the password and are not meant for failover. Once external authentication is configured, only the information in the external authority determines who can log in and what roles they have. However, administrators may view external organizations, users, and roles to determine if all mappings from the external authority are correct.