maartenba
commented
9 years ago Would be nice. This also makes it possible to link existing users to AAD users?
Closed ghost closed 6 years ago
maartenba
commented
9 years ago Would be nice. This also makes it possible to link existing users to AAD users?
ghost
commented
9 years ago What JWT property do you expect to use as UPN? as for email - it is provided
maartenba
commented
9 years ago Ideally it can be mapped, e.g. by e-mail so that it can be linked to an existing user.
ghost
commented
9 years ago @maartenba i gonna link existing users via email the question is - what aad user jwt property to use as teamcity username when creating new user
maartenba
commented
9 years ago Configurable? Or part of the email before @?
ghost
commented
9 years ago why not to use name claim? full name of live id user is a given name and surname so name is what we need - no?
maartenba
commented
9 years ago That's an option, too. Although name (as well as email) could potentially change. uid or oid I believe is the unique key.
ghost
commented
9 years ago we already use oid to map teamcity user to aad user, so looks like all we need is to fill email and full name fields
maartenba
commented
9 years ago Would that also make it possible to link existing TeamCity users to an AAD identity? E.g. we have a number of users in TeamCity already but would like to link them to an AAD identity so we can turn off basic auth and have AAD only.
ghost
commented
9 years ago It will be possible. But mapping via email required email to be trusted / verified. So there will be an option in AAD auth schema settings - Accociate AAD user with existing TeamCity user via e-mail
maartenba
commented
9 years ago :+1:
ghost
commented
9 years ago @andre-takenet i've failed to find mentioned properties in JWT retrieved from AAD. Could you please share an example of user profile and JWT?
ghost
commented
9 years ago @ekoshkin, I don´t know how to get a JWT sample... Can you give me some hints for how can I do this?
ghost
commented
9 years ago @andre-takenet please take a look https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
ghost
commented
9 years ago @ekoshkin, I think the mapping could be: TeamCity username -> unique_name TeamCity name -> given_name + family_name TeamCity email -> upn
I just tried the plugin and it adds the AD full name as TeamCity username, and adds nothing for name and email on TeamCity account.
It seems most 'natural' if it let the AD username and full name be TeamCity username and name, respectivelly, and the AD UPN be the TeamCity email.
Or maybe a configuration option could be added on the plugin the allow these mappings