Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-106

Automate group / membership from external IdP


    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • Auth

      From BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1469173

      -What is the nature and description of the request?

      Group synchronization is only possible through a manual intervention or through a scheduled job that needs to be configured by the administrators (e.g. CronJobs).
      This only allows synchronization from an external LDAP and not from any other IdP supporting Groups and memberships, like RH SSO.

      After a user logs in for the first time, even though a synchronization has taken place, the user will only belong to the preconfigured groups (e.g. system:authenticated) but not to the groups the user belongs to in the IdP (or IdPs). Then the administrator should need to synchronize the groups again.

      -Why does the customer need this? (List the business requirements here)

      The customer has an Active Directory with more than 18.000 groups and also a RH SSO with this Active Directory configured and would like to be simplify and automate the synchronization after a membership is modified, a user is created or a user is logged into Openshift for the first time.

      -How would the customer like to achieve this? (List the functional requirements here)

      • As a user existing in the external IdP belonging to group A I would like to belong to the same groups after login into Openshift for the first time.
      • As an administrator I would like to be able to automate the group/membership synchronization or simplify it using the configuration.
      • As an administrator I would like to be able to synchronize groups/memberships from RH SSO

      -For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

      • A user John belongs to group DEVELOPERS in the external IdP. Group DEVELOPERS already exists in Openshift and has the Admin role on project "Demo". When John logs into Openshift for the first time, he has admin role due to his membership to group DEVELOPERS
      • In the IdentityProviders configuration for the master-config.yaml file. The administrator can configure if he/she wants to automatically sync the groups and provide a frequency in a cron format
      • Openshift configured with RH SSO as one of its external IdP should be able to synchronize the existing groups of the realm used and all the existing memberships.

      -List any affected packages or components.

            atelang@redhat.com Anjali Telang
            knewcome@redhat.com Kirsten Newcomer
            40 Vote for this issue
            62 Start watching this issue