Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature - add Support to Idp Groups #990

Open
felpasl opened this issue May 3, 2023 · 6 comments
Open

Feature - add Support to Idp Groups #990

felpasl opened this issue May 3, 2023 · 6 comments
Labels
waiting on feedback Waiting for feedback from user

Comments

@felpasl
Copy link

felpasl commented May 3, 2023

Is your feature request related to a problem? Please describe.
Sync users from an Oauth Provider with Identity Provider Groups

Describe the solution you'd like

  • On the OAuth Config, specify the group claim to be read.
  • If the specified claim is set, on FeatureHub groups, add a field to inform the value of the group claim is coming from IPD.
  • During logging, change the group accepting IPD Corporate Groups.

Describe alternatives you've considered
Using FeatureHub API, write a code to sync from idp using the /mr-api/person endpoint with auth.userMustBeCreatedFirst=false config.

@felpasl felpasl changed the title Feature - add Support Idp Groups Feature - add Support to Idp Groups May 3, 2023
@rvowles
Copy link
Contributor

rvowles commented May 3, 2023

Hi there! Just trying to probe into this ticket a bit more as I'm not sure quite what you need.

Is it intended to precreate users? You could do that using the API, and you may wish to do so as they won't have any access to anything by default.

The other thing I was thinking is you might be suggesting to prevent people logging on if they don't have the right corporate groups? If so we recommend using SAML for that as you can configure that easily on your side.

If neither of these suggestions is correct or suitable, if you could point me too some documentation where I might get a better understanding?

@felpasl
Copy link
Author

felpasl commented May 3, 2023

Hi there! Just trying to probe into this ticket a bit more as I'm not sure quite what you need.

Is it intended to precreate users? You could do that using the API, and you may wish to do so as they won't have any access to anything by default.

No, by default this auth.userMustBeCreatedFirst take care of this

The other thing I was thinking is you might be suggesting to prevent people logging on if they don't have the right corporate groups? If so we recommend using SAML for that as you can configure that easily on your side.

SAML is not an option I need this on OAuth2, on IDP we have corporate groups, i need to assign groups from there and during login, these groups are recieved on featurehub as claim, and update groups on featurehub, the "control" of group by default are only in my IDP (IBM IAM), a corporate rule, Authorization user<>group are in IDP not in FeatureHub, in Featurehub only control group<>role

If neither of these suggestions is correct or suitable, if you could point me too some documentation where I might get a better understanding?

Something like role mapping on grafana, with recieve from Oauth IDP the role claim with the group equivalent in platform
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#role-mapping

@rvowles
Copy link
Contributor

rvowles commented May 4, 2023

Thanks for the extra info.

Because of the feature rich nature of our permissions system, we have discounted supporting this kind of capability because we cannot see how it would work. We would need more real life specific examples.

I can see from the link you showed in Grafana what you mean, but FeatureHub portfolio/group permission mapping would be required here - one presumes your claims would need to support the portfolio and groups for each set of permissions? How would you see it working more precisely? Does your IBM IAM support SCIM and would that be a better way to support it?

Thanks!
Richard

@felpasl
Copy link
Author

felpasl commented May 4, 2023

I want to introduce a new feature in a group page that allows users to configure a mapping between a specific role and a group. When this feature is enabled, a new field will become available where users can specify the role associated with that particular group.

During the login process, the system will check the role value for user and map them to the appropriate group based on that value. For example, if a FeatureHub group called "DevOnly" on "Portfiolio1" is mapped to an IDP group called "FeatureHub-portfolio1-DevOnly," the system will automatically add the user with the "FeatureHub-portfolio1-DevOnly" role to the "DevOnly" group.

@rvowles
Copy link
Contributor

rvowles commented Jun 25, 2023

How have you gotten on with the development for this?

@felpasl
Copy link
Author

felpasl commented Jul 3, 2023

we are developing a proxy api between the identity provider group management webook and the featurehub management api, so users and groups are synchronized.

@rvowles rvowles added the waiting on feedback Waiting for feedback from user label Jan 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
waiting on feedback Waiting for feedback from user
Projects
None yet
Development

No branches or pull requests

2 participants