User Account, Source System User Mapping and Single-Sign-On

OneList maintains its own user accounts which include the following information:

• UserId - internal use for OneList;
• UserName - a unique key for every user. This is mapped to the common user ID of the organization;
• Profile - user profile, e.g. first name, last name, email;
• Manager - optional, the user's reporting manager;

Linking OneList User with Identity Provider (IDP) and Source System User

For OneList to automatically surface tasks to the user, it needs to establish the above link between the user’s IDP login and his/her source system user id. The OneList username is the key in this link. The general process of identifying the value for the OneList username is:

• Identify and agree on the common user identifier in the organisation. SAMAccountName and UPN are commonly used as the user id;
• Identify the claim from the Identify Provider that holds the common user id;
• Verify each source system if it can map its user account to this common user id. The adapter is responsible for producing the user mapping for OneList.

If a source system is unable to provide the user mapping then OneList will prompt the user to log on to that source system once before tasks are surfaced from that source system.

Where is the user linkage saved and how it is used

The linking between the OneList user and the external user is saved in the ExternalLogin table in the RoleManager database. 

• When the user logs on via external IDP, OneLIst uses the IDP's user id to find the OneList user id in the ExternalLogin table and grants access to the user;
• When OneList receives a task from Source System, it uses the source system user id to find to find the OneList user id in the ExternalLogin table, then assigns the task to the OneList user. The reverse lookup process is used to identify the source system user id when user actions a task.

OneList user account creation

There are two scenarios on how OneList user account is created:

1. When a new task assignee is identified in a source system. In this case, the OneList Adapter makes a query to OneList after every task upload, to find if there is any user for that source system requiring a link to OneList user account. If OneList returns a list of the source system user id then the OneList Adapter can post the full detail of that user to OneList. OneList then creates a new user account if required and links the source system user id with the OneList user account. The prerequisite of this scenario is that the OneList adapter has full information of the use account including UserName and email.
2. When a user logs on to OneList (via RoleManager) for the first time. In this case, the user either register a new account (via the Register link on the login page), or after authenticated by the organisation's IDP. If using IDP, RoleManager goes through the external log in process discussed above and creates a new user account if no existing user exists for the Idp user login.

Claims required from source system to setup OneList user profile