PostgreSQL Database User Provisioning

PostgreSQL Database User Provisioning


What is PostgreSQL Database User Provisioning?

PostgreSQL Database User provisioning is an automated solution for Identity access management (IAM) and maintainance of users in a postgres database. Whenever a user is created, updated, or deleted from miniOrange, the relevant data is synchronized with the database and related applications, granting permissions and access according to the latest change. User sync and data sync are the main features of user provisioning. miniOrange user provisioning allows you to update & manage the user information in your database or applications when you perform creation, updation or deletion in your miniOrange service.

Deprovisioning means removing the access of the users from all the resources & services such as Active Directory, Google, AWS or from different applications whenever a user is deleted from the database. miniOrange provides automatic deprovisioning of the user accounts when the user leaves the team or organization.

User Provisioning between miniOrange and Different Databases

User Provisioning between different databases and miniOrange

There are three major parts to setting up user sync between your PostgreSQL database and miniOrange IdP. They are as follows:

  • Part A: Adding your PostgreSQL Database as a User Store in miniOrange IdP
  • Part B: Configuring Queries for User Provisioning
  • Part C: Configuring User Provisioning & Attribute Mapping
Consider the following schema for setting up PostgreSQL database user provisioning/deprovisioning. We have used this schema to illustrate how to configure the options for a simple database. You can use this example to configure your own PostgreSQL database as a user store in miniOrange.

Example Setup:

Database Type PostgreSQL v9.6
Database Name APPSDB
Database JDBC URL (for PostgreSQL) jdbc:postgresql:@serverdomain:5432/APPSDB
Table where user info is stored USERS

USERS table description:

Column Type Description
USERNAME VARCHAR Username column
PASSWORD VARCHAR Stores password of the user; will store default password during user creation
FIRSTNAME VARCHAR Firstname of user
LASTNAME VARCHAR Lastname of user
EMAIL_ADDRESS VARCHAR Email address of user

A. Add PostgreSQL Database as a User Store in miniOrange IdP

B. Configure User Provisioning Queries for PostgreSQL Database

There are two directions in which user provisioning can be configured: Inbound (i.e. from your database into miniOrange) and Outbound (from miniOrange into your database).

Inbound provisioning deals with user import, whereas Outbound deals with user creation/deletion/update. In both cases, attribute mapping is necessary. Attribute mapping between database columns and miniOrange IdP attributes is done via a special notation. Column values are inferred by the miniOrange IdP using this notation.

  • To configure user provisioning for your PostgreSQL database, you will first have to navigate to the User Store section. Here, you will see the list of configured user stores.
  • PostgreSQL Database user provisioning Edit User Store dropdown
  • Click on the dropdown near your configured database and select ‘Edit’:
  • PostgreSQL Database user provisioning Edit User Store page
  • This will open the edit page for your configured user store.
  • Query Strings for PostgreSQL database user provisioning
  • Now you are ready to configure all the required provisioning features.

1. Import Users

  • This is an example of inbound provisioning. Users are imported from the database into the miniOrange default user store. The attributes to be selected are specified in the attributes section of Database as a User Store. For each attribute (except for username and password) that you want to import & map to a user in the miniOrange default user store, you must specify a SELECT query.
  • You do not need to specify a SELECT query for username and password column values; they are imported automatically using the column names used when setting up your database as a user store.
  • In the edit user store page, scroll down until you can see the option for adding database attributes.
  • Query Strings for inbound user provisioning
  • Add as many input fields as required. For this example, we have 3 database columns - FIRSTNAME, LASTNAME, and EMAIL_ADDRESS - excluding the USERNAME and PASSWORD columns. The queries for these columns will be as follows:
    • Query for Firstname → SELECT '##FIRSTNAME##', FIRSTNAME FROM USERS WHERE USERNAME=?
    • Query for Lastname → SELECT '##LASTNAME##', LASTNAME FROM sUSERS WHERE USERNAME=?
    • Query for Email Address → SELECT '##EMAIL_ADDRESS##', EMAIL_ADDRESS FROM USERS WHERE USERNAME=?
  • The [ ‘##COLUMN_NAME##’, COLUMN_NAME ] notation in the query tells miniOrange that this field should be populated with the value of the column from the database, based on the unique username identifier.
  • Your configuration should look like this after you’re done adding the queries:
  • PostgreSQL database User provisioning Query Strings filled

2. Check Users

  • This query is used to check if a particular user already exists in the database. A user that already exists in the database will not be created again. The structure of this query should be such that it checks all the columns in the table that define a distinct user.
  • Check Users query for database user provisioning
  • For our example, we will compare the value of the USERNAME column against the relevant field in miniOrange:
    • SELECT * FROM USERS WHERE USERNAME='##USERNAME##'
    PostgreSQL Database user provisioning Filled-in Check Users query

3. Create User

  • These queries create a user in the database whenever a user is created in miniOrange. The query should contain the appropriate column names. In this example, the password is set to a default string (that must be changed later).
  • These queries use the same notation to specify the attributes that must be mapped from miniOrange IdP to the database. This is an example of outbound provisioning.
  • Create Users query for provisioning
  • In our example, we will sync the username, firstname, lastname, and email address of the newly created user from miniOrange to the database. We will pass a default password string (‘defaultPassword123#’) to the database:
    • INSERT INTO USERS (USERNAME, PASSWORD, FIRSTNAME, LASTNAME, EMAIL_ADDRESS) VALUES ('##USERNAME##', 'defaultPassword123#', '##FIRSTNAME##','##LASTNAME##','##EMAIL_ADDRESS##')
    Filled-in Create Users query
  • In this example, the [ ‘##USERNAME##’, ‘##FIRSTNAME##’, ‘##LASTNAME##’ ] strings will be replaced by the username, firstname, and lastname values of the newly created user in miniOrange.

4. Update User

  • These queries update a user in the database whenever the relevant user details are changed in miniOrange. This is an example of outbound provisioning.
  • Update Users query for database provisioning
  • In this example, all the fields for a particular user are updated in the database when an update is triggered in miniOrange. The username value is immutable in miniOrange, hence it has been used in the WHERE clause:
    • UPDATE USERS SET FIRSTNAME='##FIRSTNAME##', LASTNAME='##LASTNAME##', EMAIL_ADDRESS='##EMAIL_ADDRESS##' WHERE USERNAME='##USERNAME##'
    Filled-in Update Users query for PostgreSQL database user provisioning
  • In this example, only those users’ details are updated, whose username is the same in both miniOrange and the database.

5. Delete Users

  • These queries delete a user from the database whenever a user is deleted in miniOrange. This is an example of outbound provisioning.
  • DELETE Users query for outbound provisioning
  • In this example, we will delete those users from the database whose username column value matches the username field value in miniOrange:
    • DELETE FROM USERS WHERE USERNAME='##USERNAME##'
    Filled-in Delete Users query for outbound database provisioning
  • In this example, only those users whose username matches exactly in both - the database as well as in miniOrange - are deleted from the database.

Once you have filled in the required values, scroll down and click on 'Save' to save your current configuration.

Save configuration

After saving you should see the following success message:

Save configuration successful

C. Configure User Provisioning and Attribute Mapping

We have successfully set up our database as a user store and entered all the queries for inbound as well as outbound provisioning. Now, we must configure the user provisioning section to activate user provisioning for our database.

1. Set PostgreSQL Database as the default user store

  • Navigate to the user store section. You will be shown a list of all your configured user stores. Check if you can see the user store you set up in Part A.
  • Check User Store section you set up for PostgreSQL database user provisioning
  • Click on the dropdown for your database entry, and select ‘Make default’.
  • Set User Store as default
  • Once you have done that, you should see the following success message, and your database will be marked as the default user store.
  • Success message after setting default User Store

2. Navigate to the user provisioning section

  • From the dropdown, select ‘Database’
  • Attribute Mapping setup for PostgreSQL database user provisioning
  • You should be able to see the database attributes that we have configured in Part B. These database attributes are as yet unmapped, so the values of the ‘miniOrange Attributes’ column will be blank.
  • Configured query attributes

3. Map the database attributes to their respective field names in miniOrange

  • The PostgreSQL database attributes can be mapped to 3 different types of attributes:
    • Default User Profile Attributes
    • Custom User Profile Attributes
    • Custom Attributes
  • For this example, all fields configured for our database are mapped to the Default User Profile Attributes.
  • Default User Profile Attributes mapping for postgresql database provisioning
  • The list of default attributes is shown when a database attribute is mapped to a Default User Profile Attribute:
  • List of Default User Profile Attributes
  • Map all the required attributes to their values in the miniOrange IdP. This is how the mapping will look for our example.
  • Default User Profile Attributes mapping list for postgresql database user provisioning

4. Enable Provisioning features

  • Here, you have to choose which provisioning features you want to enable for your PostgreSQL database.
  • List of User Provisioning Features for postgresql database
  • You can choose some or all of these features, as per your requirement. For this example, we will choose the basic inbound & outbound provisioning features:
  • PostgreSQL Database user provisioning basic inbound & outbound provisioning features

5. Save the database configuration

  • Once you have mapped your database attributes to the miniOrange IdP attributes & enabled your desired features, you can go ahead and save this configuration. If everything is properly configured, you should see the following success message:
  • Save database configuration success message

6. Test configuration

  • You can test your configuration by performing one of the actions for which you have enabled the provisioning feature. In this example, we will test it by importing any of your PostgreSQL database users into miniOrange.
  • Initially, these are the users present in the database:
  • PostgreSQL Database users list after user provisioning settings
  • And these are the users present in miniOrange:
  • miniOrange initial users list
  • We will now import the users from the database into miniOrange. Navigate to Provisioning → Import Users, and select ‘Database’ from the dropdown.
  • Import Users from PostgreSQL database and navigate to user provisioning
  • Click on ‘Import’. If the configuration was set up correctly, you should see the following message:
  • PostgreSQL Database user provisioning configuration - Import Users success message
  • You can verify if the import was successful by navigating to Users → Users List
  • verify user import success after PostgreSQL database provisioning
Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com