When a Repository Administrator attempts to remove a user from the repository, normally, the user would be removed from the repository but the user account will continue to exist (they may be a member of additional repositories).
However, if the user has a federated identity, the administrator will see an additional option allowing them to also delete the user account at the time of removal:
This is generally done if the user’s email address needs to be re-used for a different account.
Q: A user who is an employee of Firm 1 has been added as an external user in Firm 2’s repository using their Firm 1 email address. Firm 1 then becomes a NetDocuments customer and sets up federated identity. The user’s account authentication is taken over by Firm 1’s federated identity. The user then leaves the Firm 1 and their active directory user account is disabled. Is the disabled account removed from Firm 1's repository, or is authentication just denied? Is there any way to allow the user to resume accessing Firm 2’s repository using a user name and password, or does a Firm 2 need to create a new external user account?
A: Firm 1 will need to have NetDocuments Support disable federated identity for this user.
Q: Firm 1, after some period of time, deletes the user’s disabled active directory account. At some point in the future, they create a new AD account, and re-use that AD user name and email address. I’m assuming that the email address is still associated with the original user’s account in NetDocuments, and that the “old” account is added back into the repository instead of a new ND account being created. Is there any warning to that effect?
A: The old ND account could only be re-used if they used the exact same Active Directory object. If they deleted the user from their active directory it will likely be a different object and they wouldn’t be able to log in until the user either has his federated identity association reset by NetDocuments Support Personnel or is deleted.
Q: What are the security implications and the effect on user experience to checking the box on the federated identity configuration page that allows users to login using a username and password?
A: If they check that box then the users could log in with a ND password OR an Identity Provider password. This isn’t the best practice but could become needed if the client/firm's identity provider goes down.