-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Autoprovisioning documentation #912
Conversation
|
||
* Infinite Scale must be configured to use an external OpenID Connect IDP. | ||
* The `graph` service must be configured to allow updating users and groups (`GRAPH_LDAP_SERVER_WRITE_ENABLED`). | ||
* The IDP must return a unique value in the user's claims (as part of the userinfo response and/or the access tokens) that can be used to identify the user. This claim needs to be stable and cannot be changed for the whole lifetime of the user. That means, if a claim like `email` or `preferred_username` is used, you must ensure that the user's email address or username never changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you must ensure that the user's email address or username never changes.
Later you state:
If the user does already exist, the proxy will check if the user's email or displayname has changed and updates those accordingly via
graph
service.
So what is it now? Do I need to take care the email never changes or will it be updated automatically?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The text is taken from owncloud/ocis#9458 which was created by @rhafer ...
If a fix is needed, we also need to do that in the ocis repo proxy service readme...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I understand it, the "claim" can be set to one of various data items. The selected data item then has to be a unique and unchanging "key" for the user. So, if email
is selected, then the email address is the unique thing that identifies each user, and so changing the email address in the IDP is going to "lose" the user in ocis. But if some other data item is used as the "claim" unique identifier for the user, the the email address is just a piece of data about the user, and can change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The discussion shows that the text is not clear and must be fixed. I have filed an issue in the ocis repo.
|
||
* Infinite Scale must be configured to use an external OpenID Connect IDP. | ||
* The `graph` service must be configured to allow updating users and groups (`GRAPH_LDAP_SERVER_WRITE_ENABLED`). | ||
* The IDP must return a unique value in the user's claims (as part of the userinfo response and/or the access tokens) that can be used to identify the user. This claim needs to be stable and cannot be changed for the whole lifetime of the user. That means, if a claim like `email` or `preferred_username` is used, you must ensure that the user's email address or username never changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I understand it, the "claim" can be set to one of various data items. The selected data item then has to be a unique and unchanging "key" for the user. So, if email
is selected, then the email address is the unique thing that identifies each user, and so changing the email address in the IDP is going to "lose" the user in ocis. But if some other data item is used as the "claim" unique identifier for the user, the the email address is just a piece of data about the user, and can change.
f71869d
to
cd7bea9
Compare
Fixes:
#888 (Autoprovisioning envvars documentation)
#885 (Update proxy service to manage autoprovisioning group memberships)
Add a proxy service documentation about
Automatic User and Group Provisioning
No backport.