Create and sync users with different usernames and email addresses

[adorton-adobe]

The sync tool should sync email-based federated users that have different email addresses and usernames. It is possible to create such users in the UMAPI by first creating a user with the same email address & username and then updating the user record to have a different email address and/or username.

A common use case is if a customer's IDP sends a different primary identifier (such as userPrincipalName) for federated logins than the email address that users might use for login and collaboration. This update would allow a separate email attribute to be specified that would map a user's email address separately from the username.

This feature doesn't introduce any new config options. It just changes some behavior in the sync tool when both user_email_format and user_username_format are specified in connector-ldap.yml and map to attributes that contain different values for a given user.

Existing behavior:

If user_email_format and user_username_format are mapped to different attributes (that may contain different values from one an other), the sync tool will attempt to create a new user with the username and email address provided by the identity source. This attempt will fail because the create method of UserAction will not allow such a user to be created.

New behavior:

If the email values mapped from user_email_format and user_username_format differ, then the commands generated to create the user are modified so that the create command has the same email address as the username in the API action. The email address will be updated in an update command that is appended to the user's command list before groups are assigned.

The value mapped from user_username_format will be the user's primary identifier.

umapi-client will also need to be updated to support this feature - adobe-apiplatform/umapi-client.py#65

Tasks:

• Test full sync workflow
  • User Creation
  • Group membership update
  • "preserve" adobe-only action
  • "remove" adobe-only action
  • "delete" adobe-only action
  • Update user info
  • Email address updates
• Test email address on trusted domain (especially email address update)
• Update Documentation

Note - we'll worry about testing for Okta and CSV in a future update.

[adorton-adobe]

This functionality breaks when changing the email address to a domain belonging to different identity directory. I believe the workflow will need to be changed to set the value of user_email_format as the username and then update the username to the value of user_username_format. I'm resetting the checklist and will do full regression testing once I've completed that change.

[adorton-adobe]

The new create/update workflow doesn't work on trusted orgs. This is fine, we just need to document it as a limitation.