Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-106

Automate group / membership from external IdP

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Normal
    • None
    • None
    • Auth

    Description

      From BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1469173

      -What is the nature and description of the request?

      Group synchronization is only possible through a manual intervention or through a scheduled job that needs to be configured by the administrators (e.g. CronJobs).
      This only allows synchronization from an external LDAP and not from any other IdP supporting Groups and memberships, like RH SSO.

      After a user logs in for the first time, even though a synchronization has taken place, the user will only belong to the preconfigured groups (e.g. system:authenticated) but not to the groups the user belongs to in the IdP (or IdPs). Then the administrator should need to synchronize the groups again.

      -Why does the customer need this? (List the business requirements here)

      The customer has an Active Directory with more than 18.000 groups and also a RH SSO with this Active Directory configured and would like to be simplify and automate the synchronization after a membership is modified, a user is created or a user is logged into Openshift for the first time.

      -How would the customer like to achieve this? (List the functional requirements here)

      • As a user existing in the external IdP belonging to group A I would like to belong to the same groups after login into Openshift for the first time.
      • As an administrator I would like to be able to automate the group/membership synchronization or simplify it using the configuration.
      • As an administrator I would like to be able to synchronize groups/memberships from RH SSO

      -For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

      • A user John belongs to group DEVELOPERS in the external IdP. Group DEVELOPERS already exists in Openshift and has the Admin role on project "Demo". When John logs into Openshift for the first time, he has admin role due to his membership to group DEVELOPERS
      • In the IdentityProviders configuration for the master-config.yaml file. The administrator can configure if he/she wants to automatically sync the groups and provide a frequency in a cron format
      • Openshift configured with RH SSO as one of its external IdP should be able to synchronize the existing groups of the realm used and all the existing memberships.

      -List any affected packages or components.
      Auth

      Attachments

        Issue Links

          is duplicated by

          Feature Request - Feature requests from customers and/or users RFE-4576 Offer Group Sync Operator as part of OpenShift Container Platform Subscription and support/maintain it

          • Critical - To be worked on immediately following BLOCKER issues.
          • Rejected
          is related to

          Feature Request - Feature requests from customers and/or users RFE-64 openid use claim as groups

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Rejected

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AUTH-10 Azure Active Directory OIDC

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-8 [Auth]Consume group membership information from an identity provider

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature Request - Feature requests from customers and/or users RFE-4118 Aggregated and Distributed Claims support in OpenShift Container Platform 4 for OpenID

          • Critical - To be worked on immediately following BLOCKER issues.
          • Deferred
          links to

          GitHub openshift/oauth-server#99: Gitlab OAuth Group Policy

          Activity

            People

              atelang@redhat.com Anjali Telang
              knewcome@redhat.com Kirsten Newcomer
              Votes:
              40 Vote for this issue
              Watchers:
              61 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: