Is there a way to automate external identity mapping?

With some help I've successfully mapped a few of my Active Directory users to their Google Drive counterparts.

But I can't help but wonder if there is a better way. Do external identity mapping's have to be configured via the API? Or is there a way to tell Enterprise Search that all Native Realm/AD users have a Google username that looks like < AD username >@< our domain >?

To state it another way:

I want to be able to configure Workplace Search so that it automatically adds an external mapping for each shared source that would need an external mapping.

Hopefully that all makes sense. :\


To answer your question directly: the API is the way today.

We do want to make this experience better over time, and get systems such as AD much more tightly integrated. While we have you here: what would that look like to you? How do you envision that as someone with an AD instance with clear mappings? Are those mapping attribute-based?

For Google, the user ID is going to be the user's email. (I mean, is it even possible for it to not be the users email?) So I'd configure the AD realm in elasticsearch.yml with which AD attribute the email lives in, from there it should be possible to get that info to Enterprise Search.

Ultimately, I think being able to configure fields in elasticsearch.yml based on attributes in AD, and then expose those fields to Enterprise Search would be the way to go. For one system I could select the "username" field as the external identity mapping. For another the email, for a third the display name, and so on.

I'd think the same method would work for SAML.

Hopefully that makes a little sense. End of the day for me, and I'm a bit scatter brained.

That makes sense! Enjoy the downtime, we'll be here tomorrow and beyond :slight_smile: