Web Login User Mapping

When using web login to sign in to GENESIS through an OpenID Connect (OIDC) or SAML 2.0 identity provider, you need a way to connect the users configured in the identity provider to the users in GENESIS Security.

When a user logs into the external identity provider, a token containing information that identify the user is sent to GENESIS. To successfully log in the user into GENESIS, the following requirements must be met.

1. The token must be mapped to a user that is known beforehand. This means that the list of users must be populated, either manually or by connecting to an Active Directory / Azure Active Directory.

   Web login does not automatically populate the GENESIS Security database with users from the identity provider. To automatically populate users, use Active Directory or Entra ID security mode. Learn more

2. You must configure a claim that determines which information to extract from the security token and how to find an existing user based on that. The information used for the identification must be set up in the OIDC/SAML Authentication User Mapping section of the web login configuration for the desired authentication type:

   • Configuring OpenID Connect Authentication for Web Login
   • Configuring SAML 2.0 Authentication for Web Login

   Both authentication types share the following user mapping settings and functionalities:

   • The Find existing users by setting tells GENESIS which field in the GENESIS user configuration needs to match the claim. You can set up finding users by one of the following attributes:

     Name	Description
     Display Name	The name of the GENESIS Security user.
     Unique Name (Active Directory GUID)	The GUID of the Active Directory or Entra ID user. This only applies when using security modes of Active Directory or Entra ID.
     Active Directory SID (Security ID)	The Active Directory user's security ID. This only applies when using Active Directory security mode, or when using Entra ID mode and synchronizing with an on-premises Active Directory.
     User Lookup Identifier	The value of the User Lookup Identifier field in the GENESIS Security user configuration; it can be any text that identifies the user, such as an email address.

   • The Show list of claims hyperlink opens a web page that redirects to the external Identity Provider, and then lists all claims that it extracted from the token.

     To use this link, you must first apply the changes in the web login configuration. Wait a moment for the server to notice the changes and reconfigure.