Role/Group mapping of a user at the RP side for access controls or contextual policies

[amonika230995]

There is also a very common requirement in IAM space around Group/role mapping of the user. i.e., the IDP mentions which role/Group the user belongs to and RP maps this at it's end to provide access and set policies.

Ideally I understand that SCIM is used to generally to provision users and we have mentioned JIT is out of scope for IPSIE. But group mapping at the time of user login is real time and I feel it should be part of this spec.

Probably we should make it a standard in OIDC SL1.

[deansaxe]

@amonika230995 Please see the IPSIE Levels doc where we've captured the outcomes for the proposed IPSIE levels. Groups and roles are handled at IL2/3.

Since we're not going to tackle JIT provisioning in IPSIE - we acknowledge it happens and that the JITed account needs to be put under active management - specifying a mechanism for group/role assignment while JITing a user appears out of scope. However, if others are interested in pursuing this in SL* and believe it is in scope, let's talk about it.

[deansaxe]

Closing with no actions to be taken.