Allow mapping of multiple values/attributes to single role for OIDC/SAML connectors.

[deusxanima]

Feature Request

Allow mapping of multiple values/attributes to a single role for OIDC/SAML connectors. We currently allow a single value to be mapped to multiple roles, but it would be useful to have reverse functionality as well.

Motivation

Multiple customers have expressed interest in being able to map multiple values/attributes to a single role when using OIDC/SAML connectors. Specifically would be useful for cases where a customer may have one SAML attribute which defines the application a user has access to, and another for whether they have access to production.

Right now customers are working around the limitation by either leveraging labels and mapping users to very specific roles based on environment and internal organization role (this requires a lot of work and careful mapping on the front-end and is not very easy to modify and change on the fly once rolled out company-wide), or having to leverage macro attributes to concatenates multiple attributes (not ideal as not every provider includes this functionality and not all customers have admin access to the idP provider).

Who's it for?

Enterprise

[russjones]

@Aharic Can you add some examples?

[sunghospark-calm]

I have an example to share. We currently have a dev role that can only access to dev environment by default which is mapped to Engineering group in Okta. For the developer to access production role, they need to escalate, and this escalation role is mapped to PHI group in Okta. PHI group is basically the group that can access production data by legal requirement.

Now the part I'm working on now is to create a new role that would have production access by default. This role by theory, would be anyone in data-engineering group AND PHI group in Okta, but I'm not sure if this is possible at the moment without this feature being discussed.