-
-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature - add Support to Idp Groups #990
Comments
Hi there! Just trying to probe into this ticket a bit more as I'm not sure quite what you need. Is it intended to precreate users? You could do that using the API, and you may wish to do so as they won't have any access to anything by default. The other thing I was thinking is you might be suggesting to prevent people logging on if they don't have the right corporate groups? If so we recommend using SAML for that as you can configure that easily on your side. If neither of these suggestions is correct or suitable, if you could point me too some documentation where I might get a better understanding? |
No, by default this auth.userMustBeCreatedFirst take care of this
SAML is not an option I need this on OAuth2, on IDP we have corporate groups, i need to assign groups from there and during login, these groups are recieved on featurehub as claim, and update groups on featurehub, the "control" of group by default are only in my IDP (IBM IAM), a corporate rule, Authorization user<>group are in IDP not in FeatureHub, in Featurehub only control group<>role
Something like role mapping on grafana, with recieve from Oauth IDP the role claim with the group equivalent in platform |
Thanks for the extra info. Because of the feature rich nature of our permissions system, we have discounted supporting this kind of capability because we cannot see how it would work. We would need more real life specific examples. I can see from the link you showed in Grafana what you mean, but FeatureHub portfolio/group permission mapping would be required here - one presumes your claims would need to support the portfolio and groups for each set of permissions? How would you see it working more precisely? Does your IBM IAM support SCIM and would that be a better way to support it? Thanks! |
I want to introduce a new feature in a group page that allows users to configure a mapping between a specific role and a group. When this feature is enabled, a new field will become available where users can specify the role associated with that particular group. During the login process, the system will check the role value for user and map them to the appropriate group based on that value. For example, if a FeatureHub group called "DevOnly" on "Portfiolio1" is mapped to an IDP group called "FeatureHub-portfolio1-DevOnly," the system will automatically add the user with the "FeatureHub-portfolio1-DevOnly" role to the "DevOnly" group. |
How have you gotten on with the development for this? |
we are developing a proxy api between the identity provider group management webook and the featurehub management api, so users and groups are synchronized. |
Is your feature request related to a problem? Please describe.
Sync users from an Oauth Provider with Identity Provider Groups
Describe the solution you'd like
Describe alternatives you've considered
Using FeatureHub API, write a code to sync from idp using the
/mr-api/person
endpoint withauth.userMustBeCreatedFirst=false
config.The text was updated successfully, but these errors were encountered: