Configure people identifiers

In the Management Portal at Data Model > People Identifiers, configure methods to identify people in your environment. This can be the Windows user account or an e-mail address, but also an employee ID or phone number; as long as you can assign a unique value to it. User authentication in the Web Portal is also based on people identifiers.

You can specify individual values for a person by opening the person's record from the People page, then clicking the Properties tab.

Identity Director contains two default people identifiers:

  • Primary e-mail address
  • Windows user account

By default, people in your environment are identified through their Windows user account. You can change this at Setup > Behavior > General.
After changing the People Identifier, make sure to log out of the Management Portal and log back in for the new settings to be properly applied.

Configuration

Field Explanation and Tips
Link to service attribute Resolve the value of the people identifier automatically when someone subscribes to the service. For example, this allows you to determine the value through user input.
  • The person must subscribe to the service before the value of its service attribute can be resolved. The value only exists as long as the person subscribes to the service.
  • You can edit the resolved values.
Restricted information Mask the people identifier value in the Management Portal. This ensures you can be compliant with the privacy laws of your country or organization, as unauthorized administrators do not have access to private information like e-mail addresses, phone numbers, social security numbers, etc. This functionality applies to the Management Portal only; restricted information is still shown in the Web Portal.
  • Unauthorized administrators see the icon Evil eye for restricted identifiers. At Transactions, restricted identifiers are shown as [identifiername]. Although unauthorized administrators cannot see the identifier value, this still allows them to verify if the context or definition of the identifier is correct.
  • Unauthorized administrators cannot search for people based on restricted identifiers.
  • You can set administrative permissions on this functionality.
  • People identifier values have a limit of 255 characters. If the value of a people identifier exceeds this limit, for example because it is linked to a service attribute or because it is set by a Set Person Attributes and Identifiers action, it is truncated to 255 characters.

People identifiers for Identity Director administrators

Consider the following scenario:

  1. At Setup > Behavior > General, you have configured an option other than the Windows user account as the People Identifier in your environment (Primary e-mail address, employee ID, User Principal Name, phone number).

  2. As an administrator, you are requesting/assigning or returning/unassigning a service for one of the people in your environment, in the Management Portal.

In this situation, you need to add the Windows account of the administrator (DOMAIN\user name) as the same type of identifier, as pictured below:
A person's Windows account and e-mail address added as Primary e-mail address identifiers

This is because once the Windows authenticates a person based on the set identifier, it returns the Windows user account, and not the identifier.
If a person's identifiers are not configured as described above, the system will be unable to recognize the account as an Identity Director person and, therefore, will not allow it to request or return services for people.

See also