Configuring external share users

If you are deploying External Share in your environment, decide before deployment how you want to configure your external users. The steps you take to configure your external users vary depending on the method you want to use. You can manage users with a second LDAP directory for external users, or you can use an Identity Provider (IDP).

About this task

External share offers two ways to manage external access to content:
  • Using a separate LDAP realm for external users
  • Dynamic user provisioning with an Identity Provider (IDP), where internal and external users are configured in separate identity providers( IDP) that support both OAuth 2.0 and/or OpenID connect.

These approaches provide different benefits and require different steps to configure and manage:

External user LDAP

Managing external users with a separate external LDAP directory requires that you configure a second LDAP directory to manage the external users who can share content. You can use any of the supported LDAP directory service providers to configure the external user directory. Note that because of the need for two separate and distinct directory configurations, IBM Virtual Member Manager is not supported.

You must designate and add these external users to the LDAP directory before internal users can issue share invitations to the external users.

The LDAP details are specified before the operator deploys the containers. Before you run the deployment, continue with Configuring the external user LDAP realm.

Dynamic user provisioning

With dynamic external user provisioning, you can grant access to external user that have accounts with external identity provides (IDPs) like IBM ID or Google ID. When an internal user wants to grant access to the external user, the email is entered into a managed user directory on the Content Platform Engine on a provisional basis. When the user responds to the share invitation, the managed user record is confirmed.

This method for managing access and users requires additional configuration and setup:
  • Designated internal user IDP, such as UMS. Where the same set of users resides in an LDAP used by the Content Platform Engine which is accessed directly.
  • Designated external user IDP. External users are identified by unique email addresses that must not also exist in the LDAP used for internal users.
  • Setup Managed User Directory configuration for external IDP users.
  • Additional configuration files and parameters for the external share environment
  • The ICN-SSO container image for your IBM Content Navigator deployment
If you choose dynamic user provisioning, you must do additional configuration for the authentication before and after you deploy the containers. For details, see topic: