Grid Operations Configuration Management Database. A Repository, Portal and REST style API for managing Grid and Cloud topology objects including; projects, administrative domains, sites, services, service-endpoints, service-groups, downtimes, users, roles and business rules.
Apache License 2.0
12
stars
27
forks
source link
Extend account linking to allow multiple identifiers of the same type? #378
There are use cases where a user would want to link multiple identifiers of the same type to the same GOCDB account, see related GGUS Ticket.
The identity linking could be extended to cover this case, there may be some parts of the code that assume only one identifier of the same type will exist per user but that feels like it should be tractable. How multiple identifiers of the same type would be exposed to via the API would also have to be considered.
That said, this feels like it would be of most benefit for X.509 users wanting to link multiple certificate DNs to a single GOCDB accounts. Accounting linking at the IdP level (i.e. via Check-In) feels more appropriate for non-X.509 users. We should consider the general move away from X.509 certificates when determining how to proceed here.
gregcorbett
commented
1 year ago
There are use cases where a user would want to link multiple identifiers of the same type to the same GOCDB account, see related GGUS Ticket.
The identity linking could be extended to cover this case, there may be some parts of the code that assume only one identifier of the same type will exist per user but that feels like it should be tractable. How multiple identifiers of the same type would be exposed to via the API would also have to be considered.
That said, this feels like it would be of most benefit for X.509 users wanting to link multiple certificate DNs to a single GOCDB accounts. Accounting linking at the IdP level (i.e. via Check-In) feels more appropriate for non-X.509 users. We should consider the general move away from X.509 certificates when determining how to proceed here.