Feature - add Support to Idp Groups

[felpasl]

Is your feature request related to a problem? Please describe.
Sync users from an Oauth Provider with Identity Provider Groups

Describe the solution you'd like

• On the OAuth Config, specify the group claim to be read.
• If the specified claim is set, on FeatureHub groups, add a field to inform the value of the group claim is coming from IPD.
• During logging, change the group accepting IPD Corporate Groups.

Describe alternatives you've considered
Using FeatureHub API, write a code to sync from idp using the /mr-api/person endpoint with auth.userMustBeCreatedFirst=false config.

[rvowles]

Hi there! Just trying to probe into this ticket a bit more as I'm not sure quite what you need.

Is it intended to precreate users? You could do that using the API, and you may wish to do so as they won't have any access to anything by default.

The other thing I was thinking is you might be suggesting to prevent people logging on if they don't have the right corporate groups? If so we recommend using SAML for that as you can configure that easily on your side.

If neither of these suggestions is correct or suitable, if you could point me too some documentation where I might get a better understanding?

[felpasl]

Hi there! Just trying to probe into this ticket a bit more as I'm not sure quite what you need.

Is it intended to precreate users? You could do that using the API, and you may wish to do so as they won't have any access to anything by default.

No, by default this auth.userMustBeCreatedFirst take care of this

The other thing I was thinking is you might be suggesting to prevent people logging on if they don't have the right corporate groups? If so we recommend using SAML for that as you can configure that easily on your side.

SAML is not an option I need this on OAuth2, on IDP we have corporate groups, i need to assign groups from there and during login, these groups are recieved on featurehub as claim, and update groups on featurehub, the "control" of group by default are only in my IDP (IBM IAM), a corporate rule, Authorization user<>group are in IDP not in FeatureHub, in Featurehub only control group<>role

If neither of these suggestions is correct or suitable, if you could point me too some documentation where I might get a better understanding?

Something like role mapping on grafana, with recieve from Oauth IDP the role claim with the group equivalent in platform
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#role-mapping

[rvowles]

Thanks for the extra info.

Because of the feature rich nature of our permissions system, we have discounted supporting this kind of capability because we cannot see how it would work. We would need more real life specific examples.

I can see from the link you showed in Grafana what you mean, but FeatureHub portfolio/group permission mapping would be required here - one presumes your claims would need to support the portfolio and groups for each set of permissions? How would you see it working more precisely? Does your IBM IAM support SCIM and would that be a better way to support it?

Thanks!
Richard

[felpasl]

I want to introduce a new feature in a group page that allows users to configure a mapping between a specific role and a group. When this feature is enabled, a new field will become available where users can specify the role associated with that particular group.

During the login process, the system will check the role value for user and map them to the appropriate group based on that value. For example, if a FeatureHub group called "DevOnly" on "Portfiolio1" is mapped to an IDP group called "FeatureHub-portfolio1-DevOnly," the system will automatically add the user with the "FeatureHub-portfolio1-DevOnly" role to the "DevOnly" group.

[rvowles]

How have you gotten on with the development for this?

[felpasl]

we are developing a proxy api between the identity provider group management webook and the featurehub management api, so users and groups are synchronized.