Red Hat SummitUser and external authentication mapping
Ansible Automation Platform manages user accounts and synchronizes attributes by centralizing user identification around a matching email address. You can sign in with existing accounts from different sources while maintaining a consistent user profile and access permissions.
The platform accepts email claims from identity providers without verifying email ownership. Before you configure an external authenticator, verify that your identity provider enforces email verification and restricts self-service email changes.
When you log in to the platform for the first time with an authenticator, such as Local, GitHub, SAML, or LDAP, the platform evaluates the username and email address. If a single email match exists, the platform links the external identity to that existing account.
- Subsequent logins with the same authenticator and external Unique Identifier (UID) directly sign the user into their linked account.
- If a user's external UID changes, the system re-triggers the email-based linking logic. If the new UID's email matches the existing account, the new authenticator is linked. If the email does not match or is not provided, a new user account might be created.
- If a user's external email changes, the platform does not automatically update the email address in the existing account, but the user can still sign in and a new account with the new email is created for the user.
If a user has a hashed account, such as bob-hash, due to a username collision from a previous version, that association is honored for that authenticator. However, for new authentications from other identity providers, the platform maps to the user's primary account, such as bob, provided a single matching email exists. This consolidates user identities and prevents the creation of new hashed accounts. If users should have been previously merged, you can delete the user-<hash> account from Ansible Automation Platform and on a subsequent login, the users are merged based on emails as described above.
- Authenticators without email: If an authenticator such as RADIUS or TACACS+ does not return an email address, a new account is created on first sign-in. To ensure consistent future access, manually add an email to the account after creation.
- Multiple users with the same email: If an email from an authenticator matches multiple existing platform accounts, the sign-in process fails.
- LDAP usernames: The platform treats LDAP usernames as case-insensitive. It converts the username to lowercase and stores it in the database.
associated_authenticatorsfield: Theassociated_authenticatorsfield in the API supports multiple UIDs per user.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}