• State Not Answered
  • Replies 0 replies
  • Subscribers 97 subscribers
  • Views 26 views
  • Users 0 members are here
Options
Related

1ID v9.0LTS - select account to use when multiple matches in IT Shop

kelvin smith

Hopefully this will make sense....

We are experimenting with using identities along with sub-identities.  There is a main identity for the employee.  There are also sub-identities - one for each AAD tenant the employee belongs too.  Experimenting doing it this way, as there are differences that need to be made for each tenant identity that the account belongs in, such as Job Title (job title x in the main tenant, job title y in another tenant, z in another tenant and so on), and my thought is that using sub-identities will allow this to be set up, and once sync'd will overwrite the Entra property values (yet to be proven).  These sub-identities have the Entra account that are matched with AAD accounts that come from a cross-tenant sync from the main employee tenant.

Anyway - what happens, is that each identity/sub-identity have the same defaultemailaddress field.  We are using OAuth authentication in the API portal to authenticate users (mail from Entra, Default email address for Person record).  

What I am finding, is that when I OAuth into the IT Shop, it is selecting the LAST person record created with the matching email address.  I was hoping that it might present a list to select the account to use (which is which tenant the user is going to interact with in IT Shop).  The email address is all representing the same person (identity/sub-identity)

When I select the Select a reference user I cannot see any other users that I can select (because it has selected a sub-identity user).  

If I log in with an Employee (role based) of the main account, then I can select the main account or the sub-identities with the select a reference user, but it does not prompt me upon log in which account to use.

I have come across these two settings:

Identities for which a request can be placed

Identities which can be edited by the current user

However, when I try and go and check the SQL that it is running, I get a blank result.

`uid_person in ( select uid_person from QER_VEditEmployee where uid_personhead = '%useruid%')`

Is this possible, or should I think of a different way?