feat: SCIM 2.0 Automatic User provisioning #11169

devkiran · 2023-09-06T07:36:37Z

What does this PR do?

Fixes #83

Requirement/Documentation

If there is a requirement document, please, share it here.
If there is ab UI/UX design document, please, share it here.

Type of change

New feature (non-breaking change which adds functionality)
This change requires a documentation update

How should this be tested?

Ensure that NEXT_PUBLIC_HOSTED_CAL_FEATURES=1 and SAML_DATABASE_URL is set
Create an org
Go to "http://app.cal.local:3000/settings/organizations/dsync" and create a dsync connection for Otka
In Bitwarden we have a dev Okta account, log in to Otka at the URL associated with the credentials
From the sidebar go to Applications -> Applications
Select Calcom Local
From the menu go to Provisioning -> Integration
Hit Edit
- From your machine use Ngrok to create a tunnel to your localhost
- On the org dsync data enter the URL under "SCIM connector base URL" but change the base URL to the ngroked one
- Under "Authorization" enter the "SCIM Bearer Token" from the org dsync data
Go to assignments and assign a new user to the app
An org invitation & signup email should have been sent out if the user is not a part of the org
If the user already exists then an invite email should have been sent

Mandatory Tasks

Make sure you have self-reviewed the code. A decent size PR without self-review might be rejected.

vercel · 2023-09-06T07:36:42Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
ui	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 3, 2023 5:09am

vercel · 2023-09-06T07:36:45Z

@devkiran is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

github-actions · 2023-09-06T07:36:50Z

Thank you for following the naming conventions! 🙏 Feel free to join our discord and post your PR link.

github-actions · 2023-09-06T07:42:44Z

📦 Next.js Bundle Analysis for @calcom/web

This analysis was generated by the Next.js Bundle Analysis action. 🤖

New Page Added

The following page was added to the bundle from the code in this PR:

Page	Size (compressed)	First Load	% of Budget (`350 KB`)
`/settings/organizations/dsync`	`266.69 KB`	455 KB	130.00%

Fourteen Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load	% of Budget (`350 KB`)
`/500`	`90.54 KB`	278.86 KB	79.67% (🟡 +0.16%)
`/auth/forgot-password`	`102.51 KB`	290.82 KB	83.09% (🟡 +0.15%)
`/auth/forgot-password/[id]`	`106.84 KB`	295.16 KB	84.33% (🟡 +0.15%)
`/auth/verify-email-change`	`90.12 KB`	278.44 KB	79.55% (🟡 +0.16%)
`/bookings/[status]`	`325.83 KB`	514.15 KB	146.90% (🟢 -0.23%)
`/payment/[uid]`	`119.38 KB`	307.69 KB	87.91% (🟡 +0.16%)
`/settings/admin/orgMigrations/_OrgMigrationLayout`	`253.15 KB`	441.47 KB	126.13% (🟢 -1.68%)
`/settings/my-account/profile`	`406.83 KB`	595.14 KB	170.04% (🟢 -0.20%)
`/settings/organizations/profile`	`398.32 KB`	586.63 KB	167.61% (🟢 -0.20%)
`/settings/teams/[id]/members`	`383.32 KB`	571.63 KB	163.32% (🟢 -0.23%)
`/settings/teams/[id]/profile`	`470.92 KB`	659.23 KB	188.35% (🟢 -0.14%)
`/settings/teams/new`	`199.17 KB`	387.48 KB	110.71% (🟡 +0.17%)
`/signup`	`148.63 KB`	336.95 KB	96.27% (🟡 +0.17%)
`/video/[uid]`	`235.1 KB`	423.41 KB	120.97% (🟡 +0.16%)

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

The "Budget %" column shows what percentage of your performance budget the First Load total takes up. For example, if your budget was 100kb, and a given page's first load size was 10kb, it would be 10% of your budget. You can also see how much this has increased or decreased compared to the base branch of your PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this. If you see "+/- <0.01%" it means that there was a change in bundle size, but it is a trivial enough amount that it can be ignored.

PeerRich · 2023-09-07T17:55:23Z

whats missing to leave draft?

devkiran · 2023-09-08T12:12:39Z

@PeerRich Currently, the app receives the users/group events from the identity provider; the next step is to update the database based on the directory sync events. For example, on the user.created event - create a user within the team. We need to handle eight such events as part of the SCIM integration. Someone experienced with users, roles and team management within the Cal can finish the integration. Most of the SCIM-specific works have been finished from our side.

devkiran · 2023-09-11T17:40:22Z

@leog I would Appreciate it if you could take a look at this PR, no rush. Let me know if you have any questions. Thanks!

leog · 2023-09-27T16:44:36Z

Hey @devkiran. Great job so far. Found some things in the front-end, let me know if I should help you with any of these.
Also, in terms of back-end, adding some notes so we can ensure the path to take for this integration.

Front-end issues (cc our Head of Product @ciaranha):

[Medium] Error toast with env variables missing, maybe this should be kind of an empty screen of this section to show the blocker.
[Minor] Missing i18n
[Minor] Cutting field border
[Medium] Error toast about not having permission, also should be kind of an empty screen of this section to show the blocker.

Back-end notes

Per your description in the PR, I just wanted to confirm that for self-hosters, we want to sync users to the database without any connection to teams whatsoever.
- The tenant comes as "Cal.com" which signals users should be created without a linked team
Per your description in the PR, I just wanted to confirm that for Cal.com, we want to sync users to the database connecting them to a specific team.
- The tenant for a group "Acme" comes as "team-2" in my tests, we can't really infer to which team new users should be linked to on the hosted version.
Given the different events such as updating user attributes, deactivate users, sync password, what do you recommend to do in each event? For example, we don't have the ability to deactivate users, would it be safe to assume a deletion instead?
As we discussed, we need to define the connection between created users and organizations. We could make that connection based on the domain name of the email addresses of the users we get in the events. If there is an organization using "acme.com" email addresses, and an event user.created is triggered, and that user has an "acme.com" email address, then we create that user to be linked to that org. I guess this will also be working on Cal.com, not for self-hosters.

Thanks.

devkiran · 2023-10-03T05:28:07Z

@leog Thanks for reviewing the PR, I have added the changes you suggested.

Please see my comments below.

You're right about the self-hosted instance. We use the tenant ID as Cal.com; users created without any team.
The format we used here is ${tenantPrefix}${input.teamId}. The tenant prefix is team- and the team ID is 2, the tenant would be team-2. I followed it because this is what we used in SAML integration. We can change it as per your suggestion Refer
Here are the various events Jackson sent based on the changes that happened to the identity provider. You can safely remove the users if they are deactivated; you'll receive a 'users.updated' event with active: false. I can help you understand each events if needed.
Yes, I think that would work. Let me know if you need any help with that.

leog · 2023-10-03T20:24:52Z

@devkiran Thank you for replying. Understood the flows. I will see now who should be tackling the mapping with each event.

github-actions · 2023-10-05T20:25:03Z

Hey there, there is a merge conflict, can you take a look?

github-actions · 2023-10-05T20:25:05Z

Hey there, there is a merge conflict, can you take a look?

* Rename .env variables * Remove instances of old variable names * Add credential sync secret to request for new token * Update invalid secret message Co-authored-by: Keith Williams <keithwillcode@gmail.com> --------- Co-authored-by: Keith Williams <keithwillcode@gmail.com>

CarinaWolli

It looks good to me now 🙏 As it has the high-risk label I am waiting with my approval until someone from @calcom/foundation looks over it first

All requested changes are fixed

packages/features/ee/dsync/lib/createUserAndInviteToOrg.ts

packages/features/ee/dsync/lib/inviteExistingUserToOrg.ts

packages/features/ee/dsync/lib/removeUserFromOrg.ts

zomars · 2024-03-05T21:04:56Z

packages/features/settings/layouts/SettingsLayout.tsx

  if (tab.name === "security" && !HOSTED_CAL_FEATURES) {
    tab.children?.push({ name: "sso_configuration", href: "/settings/security/sso" });
+    // TODO: Enable dsync for self hosters
+    // tab.children?.push({ name: "directory_sync", href: "/settings/security/dsync" });


Do we need these comments? Since we already have it on line 103?

zomars · 2024-03-05T21:08:44Z

packages/trpc/server/routers/viewer/dsync/_router.tsx

+
+const UNSTABLE_HANDLER_CACHE: DsyncRouterHandlerCache = {};
+
+export const dsyncRouter = router({


Can we use the current desired boilerplate as done here? https://github.com/calcom/cal.com/pull/10849/files

Dsync routes shouldn't be public. I noticed that PR only made changes to the public router. I looked at the event type _router file and it's following the same convention.

packages/trpc/server/routers/viewer/teams/inviteMember/inviteMember.handler.ts

zomars · 2024-03-05T21:12:11Z

packages/trpc/server/routers/viewer/teams/inviteMember/utils.ts

  input,
 }: {
  usernameOrEmail: string;
  team: Awaited<ReturnType<typeof getTeamOrThrow>>;
  translation: TFunction;
-  ctx: { user: NonNullable<TrpcSessionUser> };
+  inviterName: string;


zomars

Some code quality comments in there. Still need to test locally.

devkiran added 5 commits September 5, 2023 18:29

add UI for SCIM implementation

1755980

add dsync APIs

baec67c

add scim path

f800ee9

Fix the team view

744f328

add user and team dsync view

310bd81

vercel bot deployed to Preview – ui September 6, 2023 07:40 View deployment

Merge branch 'calcom:main' into feat/scim-dsync

0055a9b

vercel bot deployed to Preview – ui September 6, 2023 11:05 View deployment

Merge branch 'main' into feat/scim-dsync

b43cb99

vercel bot deployed to Preview – ui September 7, 2023 18:00 View deployment

PeerRich assigned leog Sep 25, 2023

Merge branch 'main' into feat/scim-dsync

9b4556a

vercel bot deployed to Preview – ui October 2, 2023 11:58 View deployment

devkiran added 3 commits October 3, 2023 10:25

Display empty screen when env not set

e9086cc

Fix the i18n

cedce3a

Fix cutting field border

ac4897e

vercel bot deployed to Preview – ui October 3, 2023 05:09 View deployment

github-actions bot added the 🚨 merge conflict This PR has a merge conflict that has to be addressed label Oct 5, 2023

keithwillcode and others added 2 commits March 4, 2024 15:45

chore: Add index to Team.parentId (#13950)

91bcec6

joeauyeung force-pushed the feat/scim-dsync branch from 5178241 to 1ba9172 Compare March 4, 2024 20:45

github-actions bot added the ❗️ .env changes contains changes to env variables label Mar 4, 2024

vercel bot deployed to Preview – ai March 4, 2024 20:48 View deployment

joeauyeung added 2 commits March 4, 2024 15:56

Type fix

4c45a08

Merge branch 'main' into feat/scim-dsync

921cf3c

joeauyeung force-pushed the feat/scim-dsync branch from 04f572f to 921cf3c Compare March 4, 2024 20:57

Type fix

e142e4e

vercel bot deployed to Preview – api March 4, 2024 21:14 View deployment

joeauyeung requested a review from CarinaWolli March 4, 2024 22:01

CarinaWolli reviewed Mar 5, 2024

View reviewed changes