diff --git a/doc/howto/mod_auth_openidc_feide.rst b/doc/howto/mod_auth_openidc_feide.rst index 4c14cb8dfb..e5f1b5d69e 100644 --- a/doc/howto/mod_auth_openidc_feide.rst +++ b/doc/howto/mod_auth_openidc_feide.rst @@ -147,11 +147,17 @@ NAV configuration varname = REMOTE_USER logout-url = /oidc/?logout= workaround = feide-oidc + autocreate = off "oidc" in the ``logout-url`` points to the same place as the ````-block in the apache configuration and the redirect URI in the Feide dashboard. +By toggling autocreate to "on", users are automatically created on first login +via OIDC, This is probably not what you want, which is why the default is +"off". With it "off" it is necessary to pre-create the users in order to allow +login. + Gotchas ======= diff --git a/doc/reference/web_authentication.rst b/doc/reference/web_authentication.rst index 27c4950d3d..22a87e4ce0 100644 --- a/doc/reference/web_authentication.rst +++ b/doc/reference/web_authentication.rst @@ -21,6 +21,17 @@ Since the password is controlled from a system externally to NAV, the user does not have access to change the password from inside NAV. If an account is set to invalid in NAV, the user will not be logged in, even if the header is set. +Creating users on first login +----------------------------- + +Earlier versions of this functionality created users on first login. That is no +longer the case. To enable the previous behaviour, set ``autocreate = on`` in +the ``[remote-user]`` section in the config-file. + +With the default, which is ``off``, it is necessary to pre-create users for +them to be able to log in. This can be done from the command line with +``navuser``, or via the web interface. + Workarounds for "strange" `REMOTE_USER` values ----------------------------------------------