Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-1541

Provide EntraID mapping from user to teams based on the groups it belongs to using OIDC

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • n/a
    • controller
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      1. What is the nature and description of the request?

      When using OIDC integration with EntraID, the user is authenticated but there is currently no support for team and organization mappings for OIDC (https://docs.ansible.com/automation-controller/latest/html/administration/ent_auth.html#generic-oidc-settings).

      However, it is there using SAML (see SAML Organization and Team Attribute Mapping https://docs.ansible.com/automation-controller/latest/html/administration/ent_auth.html#saml-settings).

      EntraID provides group mapping in the OIDC response (using JWT fields of the token: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims).

       In some customers, there are some policies to provide only OIDC access to Entra ID.

      1. Why does the customer need this?

      It is mandatory from security team to authorize based on the EntraID structure and only provides OIDC for integrating with it.

      1. How would you like to achieve this?

      Similar as the approach with SAML.

      1. List any affected known dependencies: Doc, UI etc..
      1. Github Link if any

            bcoursen@redhat.com Brian Coursen
            rgordill1@redhat.com Ramon Gordillo Gutierrez
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: