| This is documentation for Semarchy xDM 2023.3, which is no longer supported. For more information, see our Global Support and Maintenance Policy. | 
Manage users in Semarchy xDM
Users in xDM include all individuals interacting with the platform, including administrators, designers, or business users. This page explains how to manage users in xDM.
User authentication
Users authenticate using an identity provider (IDP), which may be:
- 
The internal identity provider, which stores user and roles in the xDM platform. 
- 
A third-party identity provider for single sign-on. 
When a user logs into the xDM platform, they have two options; they can use either the platform’s login form or a third-party IDP login experience.
During the login process:
- 
The user is given access to xDM. 
- 
The user receives a set of effective roles, which grants them platform and model-level privileges. 
- 
The user’s profile information is seeded or set. 
| Role vs. groups Certain IDPs use groups. Depending on the IDP configuration, these groups are included in the user’s effective roles. | 
Create a user
You must create users connecting to xDM using the internal IDP. When creating these users, you define their password.
You may also create users connecting to xDM using a third-party IDP, to invite them to use xDM. This operation provisions the users without passwords since the user authentication is performed by the third-party IDP.
To create a user:
- 
In Configuration, select Users in the navigation drawer. 
 The Users list opens.
- 
Click on the  Add User floating action button in the lower-right corner of the screen. Add User floating action button in the lower-right corner of the screen.
- 
In the Add User dialog, enter the Username 
- 
Select one or more Assigned Roles for this user. 
 These roles will be assigned to this user in addition to those returned by the authentication process.
- 
Set the First Name, Last Name, and Email for this user. 
 You do not need to set these if the IDP the user will log in with synchronizes this information.
- 
Select Send invite to send an invite email to this user. To send an invite, a mail notification server must be configured as the Default Notification Server, and the Email must be set for the user. 
- 
If the user will authenticate using the internal IDP: - 
Expand the Authentication Setting section, and select Enable internal authentication 
- 
Enter a Password for the user. 
- 
(Optional) Select Ask for a password change at the next login to force the user to change that password at the next login. 
 
- 
- 
Click Create. 
The new user is created and the sidesheet opens for this user.
Automate user creation from SSO
When a user connects to xDM using a third-party IDP, they receive the roles defined in the IDP configuration. This includes both default roles and those assigned by the IDP.
After authentication, users with the appropriate roles can access the platform. Their user information is automatically created.
| An easy way to enable this is by setting baseline roles in the IDP’s Default Roles (e.g., the semarchyConnect role). | 
Modify the assigned roles
A user authenticating with an IDP receives roles configured for that IDP, which include:
- 
The default roles assigned to all users, as defined in the IDP configuration. 
- 
The roles or groups returned by the IDP, as well as those returned via the role mapping mechanism. 
Additionally, it is possible to assign roles specifically to that user in xDM. These role assignments are stored within xDM.
| A user connecting with the internal IDP only receives the default roles defined for that IDP, plus those assigned in xDM. | 
To modify the roles assigned to a user:
- 
In the Users list, select the user. 
 The side sheet opens with this user’s information.
- 
In the sidesheet header, select Assign Roles. 
- 
Select or remove the Assigned Roles for this user. 
- 
Click Assign. 
Configure internal authentication
A user may be allowed to connect using the internal IDP.
- 
When this option is enabled, the user can log in using a login form using a password stored in xDM. 
- 
When this option is disabled, the user is only able to log in using a third-party IDP into which a user with the same name is defined. 
| Using the internal IDP is not recommended in production environments. | 
To configure internal authentication for a user:
- 
In the Users list, select the user. 
 The side sheet opens with this user’s information.
- 
In the sidesheet header, select Configure Internal Authentication. 
- 
Select or deselect Enable Internal Authentication. 
- 
If you enable the internal authentication for the user, enter a Password for the user. - 
(Optional) Select Ask for a password change at the next login to force the user to change that password at the next login. 
- 
(Optional) Select Send invite to send an email to this user with their password. To send the password by email, a mail notification server must be configured as the Default Notification Server, and the Email must be set for the user. 
 
- 
- 
Click Apply. 
| A user defined in a third-party IDP and having the Enable Internal Authentication option selected can connect with both the third-party IDP and the xDM password. This is not a recommended configuration since the roles assigned to that user may vary depending on the authentication method. Preferably use separate sets of users for the internal IDP and the third-party IDPs. | 
Manage users with the REST API
Endpoints are available on the xDM REST API to manage users.
For more details, see the REST API documentation.