Skip to main content
Version: DAI 7.4

Editing Usernames in Keycloak for SSO

DAI supports Single Sign-On (SSO) authentication by integrating with an identity provider (Active Directory or Entra ID). If you are enabling SSO for an existing DAI instance, DAI can link existing DAI user accounts to the users in your identity provider. However, this option only works if the usernames you use in DAI match the user preferred names (UPN) in your identity provider.

This page provides instructions for modifying usernames in DAI as a prerequisite to enabling SSO. For more information about SSO integration in DAI, see How Does Single Sign-On (SSO) Work in DAI?.

Following are examples of why you might need to change the usernames in DAI:

  • Users chose any username they liked in DAI, which did not align with the accounts in their identity provider.

  • There are a few outliers where usernames do not perfectly align with UPNs. For example, when someone's UPN changed in their identity provider but the username remained the same in DAI.

  • Usernames in DAI are based on email addresses rather than UPNs.

Approach

You can link your existing DAI usernames to the their associated UPNs in your identity provider by editing the usernames in DAI's built-in security provider (Keycloak) as described in the steps below.

Potential Locking Issues

When you edit usernames in DAI, you could potentially encounter locking issues in the following scenarios. Note that these scenarios are unlikely to occur because the locks are relatively short-lived and rely on the cached usernames in users active sessions.

  • SUT/Agent locking - When a user runs a test, DAI locks the agents and SUTs before using them to run run tests and then releases them when the test completes. It is possible to hit locking issues with a username during a test run.

  • VAM asset locking - If a user is uploading a revised version of a suite to DAI internal storage or deleting a suite from DAI internal storage, DAI uses that user's username to acquire and release those locks.

warning

To err on the side of caution, we recommend that you do not update a username while that user is actively using the DAI.

Steps

  1. Log in to the Keycloak admin console https://{dai_domain}/auth/admin/master/console using your system administrator credentials.

  2. Select the eggplant realm from the realm selection drop-down in the top left of the screen.

  3. Select Realm Settings from the left navigation menu and select the Login tab.

    DAI Eggplant Realm Settings

  4. At the bottom of this page, enable Edit username by setting it to On. It is disabled (set to Off) by default.

  5. Navigate to Users on the left navigation menu in the Keycloak admin console and amend the usernames of any users you want to change.

warning

It is important that you disable Edit username when you are finished converting your users. Keysight does not support DAI installations with Edit username enabled except when performing this task to convert users.

Last updated on