[FR] Autoprovision groups based on userinfo

bcskda commented 1 year ago

Hello

Currently autoprovisioning adds new users to a configuration-defined set of groups:

'auto-provision' => [
  'groups': ['employees']
]

Would you be interested in managing user's groups based on a userinfo claim? E.g., add a configuration option 'auto-provision' => [ 'groups-claim': 'groups' ] Then, if configured,

treat the userinfo claim as a list of gid's
add the user to specified groups that exist
remove the user from extra ones

For current 'groups' => ['employees'] configurations, keep the same logic "add during user creation"

Both scenarios would be available and interchangeable:

groups -> groups-claim transition would require administrators to configure their IdP and update existing user profiles on IdP side
groups-claim -> groups transition would disable groups synchronization for existing profiles and work as expected for new profiles

The groups and groups-claim should probably be mutually exclusive

Are there any concerns with LDAP integration or any other source of group membership?

In case this is ok, I am willing to implement

bcskda commented 1 year ago

Anyway, this seems to work in our environment. Feel free to apply

https://gitlab.com/fpmi/owncloud-openidconnect/-/compare/8160194b3115717520dd695d89813c32234cc018...master?from_project_id=47930992&straight=false

alex-metcalfe-358 commented 1 year ago

Is this implemented in the current release?

danthonywalker commented 2 months ago

Anyway, this seems to work in our environment. Feel free to apply

https://gitlab.com/fpmi/owncloud-openidconnect/-/compare/8160194b3115717520dd695d89813c32234cc018...master?from_project_id=47930992&straight=false

Has this been merged into this project?

DeepDiver1975 commented 2 months ago

Has this been merged into this project?

no pull request - no merge :shrug:

owncloud / openidconnect

[FR] Autoprovision groups based on userinfo #300