already asked the question in a different thread but it may be worth to open a new one.
Users added by SAML SSO with the role “users” are not able to add/modify their pager address (=mobile phone number) because the appropriate filed is not visible in their profile settings. An administrator is able to add/modify their pager addresses in the user management, though.
Am I missing a permission that allows this? Or is it not possible by design? Can it be changed? This would make absolutely sense to me.
In essence if you are using SAML/SSO to provision a user in CMK (nor an admin) should not (be able to) modify attributes locally in CMK.
This is due to the design of a federated login (in this case SAML), where a/the authoritative source dictates attributes.
If you were to edit attributes of users locally in CMK (by any means) there are two options as to how it ends:
On a re-login, if a mapping does exist for it, it will (should) overwrite the locally edited attribute, as the IDP is the authoritative source of information for the user.
If the attribute is not in a mapping, and is edited locally it will mean that the authoritative source will have no way of knowing this attribute has changed locally.
Meaning you have inconsistent information regarding the user (SAML will not sync changed local attributes back to the federation).
To have some sort of sync (both ways) you will need to look for an Identity Management product to achieve this.
Also if you were to have some kind of Identity Management product, it will (should) revolve around the authoritative source of attributes, as it needs to know the true value if it differs on source and destination.
Having said that, it is my understanding from other posts in the forum that CMK at current does not support a full mapping of attributes offered by a/the IDP to local attributes.
So in this case you may need to (till solved) modify this attribute in CMK manually.
Do not forget to also modify it in the (data-) source of your IDP, whereas i hope/expect CMK to implement a full attribute-mapping from IDP → CMK.
Personal note:
I would rather see CMK implement OpenID-Connect (and full attribute-mapping) as federative option, as it also will be a solution for distributed monitoring combined with federative/SSO login.
thanks @Glowsome for your response!
There are few user settings that are not coming from SAML IDPS either like “enable/dsiable all notifications” or "“show only host and services I am a contact for”. As we know, the attribute “pager address” is not a subject of the SAML configuration yet. That makes me thinking that it should be possible to edit this attribute in the profile settings. When (and if) the synchronization of user attributes like pager address should be implemented in SAML, the local attributes can be just overwritten.
Tricky thing for me is i am using CRE edition, so i implemented SAML on the web-server -level.
The howto as to how i did it is somewhere on the forum in the howto -section.
(Fun fact: some of my comments regarding this ended up in the official documentation)
As native SAML is only available for CEE i do not know what is possible.
I myself switched my setups from SAML → OpenID-Connect in a similar way (also a howto available in the howto-section)