Autoprovisioning documentation #912
Conversation
|
|
||
| * Infinite Scale must be configured to use an external OpenID Connect IDP. | ||
| * The `graph` service must be configured to allow updating users and groups (`GRAPH_LDAP_SERVER_WRITE_ENABLED`). | ||
| * The IDP must return a unique value in the user's claims (as part of the userinfo response and/or the access tokens) that can be used to identify the user. This claim needs to be stable and cannot be changed for the whole lifetime of the user. That means, if a claim like `email` or `preferred_username` is used, you must ensure that the user's email address or username never changes. |
There was a problem hiding this comment.
you must ensure that the user's email address or username never changes.
Later you state:
If the user does already exist, the proxy will check if the user's email or displayname has changed and updates those accordingly via
graphservice.
So what is it now? Do I need to take care the email never changes or will it be updated automatically?
There was a problem hiding this comment.
The text is taken from owncloud/ocis#9458 which was created by @rhafer ...
If a fix is needed, we also need to do that in the ocis repo proxy service readme...
There was a problem hiding this comment.
As I understand it, the "claim" can be set to one of various data items. The selected data item then has to be a unique and unchanging "key" for the user. So, if email is selected, then the email address is the unique thing that identifies each user, and so changing the email address in the IDP is going to "lose" the user in ocis. But if some other data item is used as the "claim" unique identifier for the user, the the email address is just a piece of data about the user, and can change.
There was a problem hiding this comment.
The discussion shows that the text is not clear and must be fixed. I have filed an issue in the ocis repo.
|
|
||
| * Infinite Scale must be configured to use an external OpenID Connect IDP. | ||
| * The `graph` service must be configured to allow updating users and groups (`GRAPH_LDAP_SERVER_WRITE_ENABLED`). | ||
| * The IDP must return a unique value in the user's claims (as part of the userinfo response and/or the access tokens) that can be used to identify the user. This claim needs to be stable and cannot be changed for the whole lifetime of the user. That means, if a claim like `email` or `preferred_username` is used, you must ensure that the user's email address or username never changes. |
There was a problem hiding this comment.
As I understand it, the "claim" can be set to one of various data items. The selected data item then has to be a unique and unchanging "key" for the user. So, if email is selected, then the email address is the unique thing that identifies each user, and so changing the email address in the IDP is going to "lose" the user in ocis. But if some other data item is used as the "claim" unique identifier for the user, the the email address is just a piece of data about the user, and can change.
mmattel
force-pushed
the
Automatic_User_and_Group_Provisioning
branch
from
f71869d
to
cd7bea9
Compare
Fixes:
#888 (Autoprovisioning envvars documentation)
#885 (Update proxy service to manage autoprovisioning group memberships)
Add a proxy service documentation about
Automatic User and Group ProvisioningNo backport.