Identities and accounts

Overview

When a user logs into Brazen using SSO, Brazen will automatically provision a user account when one does not exist. This article describes how Brazen provisions user accounts and how Brazen enables you to maintain a relationship between a user's account or identity on your system with the user's Brazen account.

Brazen User Account

Each Brazen user account consists of the following information:

  • id - a numeric identifier that Brazen has assigned to the account
  • first_name - the user's first name
  • last_name - the user's last name
  • email - the user's email address, which also serves as the username on the account
  • time_zone - the user's preferred time zone such as "America/New_York". Brazen uses IANA Olson time zone names.
  • external_id - the unique identifier that identifies the user in your identity management system.

User Accounts and ID Tokens

Brazen supports SSO using OAuth 2.0 and either one of the following identity tokens:

Each of these identity tokens contains information, also called claims, that Brazen uses to create a Brazen account. Let's look at each one.

SAML 2.0

Claims in SAML 2.0 are expressed as attributes. SAML 2.0 uses the object identifier (OID) URN schema defined for X.500 directory systems to define legal values for attribute types. LDAP is a simplified version of X.500 and the most common implementation of this standard. Brazen looks for the following SAML 2.0 attributes when creating a new Brazen account for a user. More information about these attribute types can be found in RFC-4519. For a complete list of LDAP OIDs, see the LDAP OID Reference or OID Registry.

Friendly Attribute NameOID Attribute NameRequired?Definition
userIdurn:oid:1.3.6.1.4.1.47993.1.1.2Nothe identifier for this user in the external system. Brazen will use the first value it finds in a claim.
mailurn:oid:0.9.2342.19200300.100.1.3Yesthe preferred or primary email address for the user. Brazen will use the first value it finds in a claim.
givenNameurn:oid:2.5.4.42Yesname strings that are the part of a person's name that is not their surname.
surnameurn:oid:2.5.4.4Yesthe surname or last name of the user.
ianaTimeZoneurn:oid:1.3.6.1.4.1.47993.1.1.3Nothe user's preferred time zone such as "America/New_York". Brazen uses IANA Olson time zone names. If one is not provided, the user's time zone is set to "US/Eastern".

If no account exists for the email address in the identity token, then a new account is created using the information above. Brazen will send an email to the email address informing them an account has been created and asking the user to verify their email address.

If an active user account exists for the given email address and the email address has been verified, then Brazen will set the external ID to the subject identifier in the identity token. The account verification email is not sent.

If an active user account exists for the given email address and the email address has not been verified, Brazen will send an email to the user asking them to verify their email address before the account is enabled.

OpenID Connect

When OpenID Connect is used to single sign-on a user into Brazen, Brazen uses the scope request parameter on the authentication request to ensure certain claims are included in the JWT ID token. In addition to the default "openid" scope, Brazen will request the "profile" and "email" scopes. The following table lists the claims that Brazen uses provision new user accounts and to map external identities to existing Brazen user accounts.

Claim NameTypeRequired?Definition
substringYesthe identifier your system uses to identify this user. This claim is always present in OpenID ID Tokens.
given_namestringYesthe user's first name or names.
family_namestringYesthe surname or last name of the user.
emailstringYesthe user's preferred email address, which may be the email address they use to log into your applications.
email_verifiedbooleanYeswhether or not the email address has been verified.
zoneinfostringNothe user's time zone. if one is not provided, the user's time zone is set to US/Eastern.

If no account exists for the email address in the identity token, then a new account is created using the information above. If the email address has not be verified, Brazen will send an email to the email address informing them an account has been created and asking the user to verify their email address. If the email address has been verified, the account verification email is not sent.

If an active user account exists for the given email address and the email address has been verified, then Brazen will set the external ID to the subject identifier in the identity token. The account verification email is not sent.

If an active user account exists for the given email address and the email address has not been verified, Brazen will send an email to the user asking them to verify their email address before the account is enabled.

FAQ

Q. Does Brazen support bulk user provisioning?
A. Not at this time. User accounts are provisioned when a user first uses SSO to log into Brazen. Brazen is exploring providing support for SCIM 2.0, which is an open API standard for managing identities that define methods for creating, updating and deleting identities. For more information on SCIM 2.0, see http://www.simplecloud.info/.