[MGNLSSO-189] Custom SSO authorization generators Created: 01/Nov/22 Updated: 18/Apr/23 Resolved: 02/Mar/23 |
|
| Status: | Closed |
| Project: | Single Sign On |
| Component/s: | None |
| Affects Version/s: | 3.0.0 |
| Fix Version/s: | 3.1.0, saas |
| Type: | New Feature | Priority: | Neutral |
| Reporter: | Matt Rajkovic | Assignee: | Nguyen Phung Chi |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Σ Remaining Estimate: | Not Specified | Remaining Estimate: | Not Specified |
| Σ Time Spent: | 5d 7.5h | Time Spent: | 5d 7.5h |
| Σ Original Estimate: | Not Specified | Original Estimate: | Not Specified |
| Attachments: |
|
|||||||||||||||||||||||||
| Issue Links: |
|
|||||||||||||||||||||||||
| Sub-Tasks: |
|
|||||||||||||||||||||||||
| Template: |
|
|||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
|||||||||||||||||||||||||
| Documentation update required: |
Yes
|
|||||||||||||||||||||||||
| Date of First Response: | ||||||||||||||||||||||||||
| Epic Link: | SSO support for custom IdPs | |||||||||||||||||||||||||
| Sprint: | AdminX 30 | |||||||||||||||||||||||||
| Story Points: | 8 | |||||||||||||||||||||||||
| Team: | ||||||||||||||||||||||||||
| Work Started: | ||||||||||||||||||||||||||
| Description |
GoalSSO 3.0.0 lacks a feature/interface to define a class to resolve groups. Example: for Azure, we receive group IDs instead of group names. We need to resolve these group IDs to names, but that currently is not possible - We would need group resolution there to resolve a group name with group ID from Azure. Thoughts for discovery
Notes
Discovery output
clients:
oidc.id: ...
oidc.secret: ...
oidc.scope: ...
oidc.discoveryUri: http://localhost:8180/realms/mgnl/.well-known/openid-configuration
oidc.preferredJwsAlgorithm: RS256
oidc.authorizationGenerators: customAuthorization
Notes: Re: the second option "providing out-of-the-box generators which might be configurable", this may not cover all cases from the customers requirement, especially Azure AD provided different ways to configure the groups/authorization. So, we can't know which is the most common configuration pattern to create the OOTB generators for the IDPs (Azure, Okta, Keycloak) |