[Spike] Prototype and Validate SSO in tIDIR

[prabhukiran9999]

Steps to be added

1. pre-step: Nick - Enterprise Application registration -> Needs permission to create groups.
2. ⚠️ Reach out to ADMS to get permissions - ⚠️
3. Disconnect Forge from Live IDIR
4. Connect Forge to tIDIR
5. Create groups - decide in naming structure (Is there a convention?)
6. Adding users to groups
7. Enabling AWS Sync
8. Unknown to lift - 40 minutes waiting period between Azure ID -> AWS permissions.

[jon-mc-git]

For #5 here checking in with ADMS on naming convention that we should align with to fit with OCIO standards for ease of operations, reading/understanding and how we can incorporate cloud-specific identifier in each to note the platform its used for (example: AZ, AW, GC)

[jon-mc-git]

As per #5, we can follow the OCIO std we followed before creating these groups which would normally be PIM enabled, but in this case not (yet). So, we would simply not have the beginning part ('PIM_') in the naming convention - something like the following could be done: DO_PuC_123ldf12_AG_Mgmt_O, DO_PuC_123ldf12_AG_Dev_Devtest_C, DO_PuC_123ldf12_AG_Dev_Live_R, DO_PuC_123ldf12_AG_Billing_R, etc.

For groups created for AWS project sets, as per the above we could add in _AG, as in the following:

DO_PuC_AW_123ldf12_AG_Dev_DevTest_C, DO_PuC_AW_123ldf12_AG_Dev_Live_R, etc.

In Entra ID this would allow for easy query of what groups are specifically for AWS usage (or GCP) if needed, and query by project identifier as per usual.

Later, if we can get PIM enabled on these then the naming convention would simply be updated with std PIM indicator (example: PIM_DO_PuC_123ldf12_AG_Dev_C)

[jon-mc-git]

Also, we may want to add a place in the Registry where the PO can designate 2-3 senior people to be able to submit tickets and others who could Read all tickets for their project set subscriptions - ie. where once added people would be added to that project set's Support Request groups: DO_PuC_123ldf12_AG_SuppReq_C, DO_PuC_123ldf12_AG_SuppReq_R