@Harish Gupta -
When we have created a TAI for situations where one didn't already exist for the SSO technology we were using, the TAI asserts a UserID as part of the response. As documented in
this article WAS is supposed to take that UserID and see that the user exists in the user registry (in your case the LDAP).
If this TAI was hand created for this use case I'd check the underlying code as I suspect either it is using some sort of path that doesn't expect a UserID, or someone skipped the part of "figure out the LDAP User ID from the SSO token" and just hardcoded a user to use that had the "right" authorizations.
If the TAI was supplied by an SSO vendor, I'd check on how it was configured as it seems to be not supplying the correct user ID to WebSphere in its response.
Basically my read on all of this is that the problem you are trying to solve would not be a problem if the TAI was doing exactly what it is supposed to do, but somewhere along the line a step was skipped or something was misconfigured and the TAI isn't performing correctly. As such the user ID isn't getting set, so then the logic that kick's in on BPM when a user is first seen isn't getting invoked, causing the problems you are seeing.
If you are in fact setting the userID correctly but IBM BPM isn't syncing that user on login as is normal, you should open a ticket with IBM as that is a significant problem that would potentially affect any SSO solution on IBM BPM.
(Note: It has been a long time since I wrote a TAI, mainly my team does that now, but back when I first did it, my first attempt was always something like 'If X is present (e.g. a cookie) then just say this is wasadmin and move forward". Obviously I'd only put this on a local box, but it proved the base line is working. I would then layer the more complex logic over that to get to the right end point. There are likely examples on the web that basically say "figuring out the right userID is left as an exercise for the student." If you have a session that has gone through the SSO process you can just call
rest/bpm/wle/v1/user/current in that browser against the BAW server and it will tell you who it thinks the user is.)
------------------------------
Andrew Paier
------------------------------
Original Message:
Sent: Mon May 18, 2020 08:53 PM
From: Harish Gupta
Subject: Full User Sync Job
@Andrew Paier
in TAI, we are authenticating the user session id against an external system. If that session id is valid, we are sending OK response to WAS so user gets authenticated. What is the way to synchronize the user with BPM System after user's session gets authenticated ?
------------------------------
Harish Gupta
Original Message:
Sent: Mon May 18, 2020 10:16 AM
From: Andrew Paier
Subject: Full User Sync Job
The items that @Jens Engelke pointed you to include WAS Admin scripts. These could be executed as Chron jobs on the server at regular times if you've run the test to prove they solve your problems. The ReST options you pose might also work, but I don't have an environment with this problem to use to attempt to validate them for you. It doesn't seem like anyone in the community has hit this exact problem.
TBH, I'm a little confused as I would have thought your TAI would assert the user's ID to the BPM system, thereby running through the normal steps when a new user is encountered. This would ensure that the user has access to the dashboard. I suspect that maybe your TAI isn't fully formed and is asserting a shared account when it receives and validates the security token. Assuming that something like this is going on, the reason your problem is a bit unique is due to the unorthodox approach to the user Authentication you have taken.
------------------------------
Andrew Paier
Original Message:
Sent: Fri May 15, 2020 11:17 AM
From: Harish Gupta
Subject: Full User Sync Job
@Jens Engelke I looked at that document but all the given options need manual intervention. I am looking for an automated solution.
------------------------------
Harish Gupta
Original Message:
Sent: Thu May 14, 2020 04:21 AM
From: Jens Engelke
Subject: Full User Sync Job
Have a look at https://www.ibm.com/support/knowledgecenter/SS8JB4/com.ibm.wbpm.admin.doc/topics/sync_users_and_groups.html
------------------------------
Jens Engelke
Original Message:
Sent: Wed May 13, 2020 05:42 PM
From: Harish Gupta
Subject: Full User Sync Job
@Andrew Paier We have the BPM Dashboard located on external portal and we are using TAI to allow SSO. So if the user is authenticated by the external portal, he will be allowed to access BPM Dashboard using TAI SSO.
I am using below REST API as an option :
Once i run this for a particular User ID, the refreshUser=true parameter should sync the user between BPM DB and LDAP. This is my expectation. Please let me know your thoughts on this.
/rest/bpm/wle/v1/user?userName=12345678&includeInternalMemberships=true&refreshUser=true&includeEditableUserPreferences=false&parts=memberships
------------------------------
Harish Gupta
Original Message:
Sent: Wed May 13, 2020 05:26 PM
From: Andrew Paier
Subject: Full User Sync Job
@Harish Gupta - I find your question a bit confusing. I didn't think there was a way to allow a user to access a BPM Dashboard unless they have authenticated against the BPM server in some way. Or are using "Dashboard" to represent "A generic report" and not the entity created in IBM BPM?
Note - if the "Syncronize Users" in BPM Admin is working for you then you can likely ignore my comment below about LDAP query limits as you are likely below that threshold size (or my data is dated).
------------------------------
Andrew Paier
Original Message:
Sent: Tue May 12, 2020 08:56 PM
From: Harish Gupta
Subject: Full User Sync Job
Hi All,
We have an application where user accesses the BPM Dashboard in external portal and never get a chance to login to BPM portals so they will not have any records in BPM DBs. Is there any REST API we can use to create a nightly job so that all the users gets sync up in BPM DB and we don't have to do it from process admin?
Thanks
------------------------------
Harish Gupta
------------------------------