Currently autoprovisioning adds new users to a configuration-defined set of groups:
'auto-provision' => [
'groups': ['employees']
]
Would you be interested in managing user's groups based on a userinfo claim?
E.g., add a configuration option 'auto-provision' => [ 'groups-claim': 'groups' ]
Then, if configured,
treat the userinfo claim as a list of gid's
add the user to specified groups that exist
remove the user from extra ones
For current 'groups' => ['employees'] configurations, keep the same logic "add during user creation"
Both scenarios would be available and interchangeable:
groups -> groups-claim transition would require administrators to configure their IdP and update existing user profiles on IdP side
groups-claim -> groups transition would disable groups synchronization for existing profiles and work as expected for new profiles
The groups and groups-claim should probably be mutually exclusive
Are there any concerns with LDAP integration or any other source of group membership?
Hello
Currently autoprovisioning adds new users to a configuration-defined set of groups:
Would you be interested in managing user's groups based on a userinfo claim? E.g., add a configuration option
'auto-provision' => [ 'groups-claim': 'groups' ]
Then, if configured,gid
'sFor current
'groups' => ['employees']
configurations, keep the same logic "add during user creation"Both scenarios would be available and interchangeable:
groups
->groups-claim
transition would require administrators to configure their IdP and update existing user profiles on IdP sidegroups-claim
->groups
transition would disable groups synchronization for existing profiles and work as expected for new profilesThe
groups
andgroups-claim
should probably be mutually exclusiveAre there any concerns with LDAP integration or any other source of group membership?
In case this is ok, I am willing to implement