Feature - add Support to Idp Groups about featurehub HOT 6 OPEN

I want to introduce a new feature in a group page that allows users to configure a mapping between a specific role and a group. When this feature is enabled, a new field will become available where users can specify the role associated with that particular group.

During the login process, the system will check the role value for user and map them to the appropriate group based on that value. For example, if a FeatureHub group called "DevOnly" on "Portfiolio1" is mapped to an IDP group called "FeatureHub-portfolio1-DevOnly," the system will automatically add the user with the "FeatureHub-portfolio1-DevOnly" role to the "DevOnly" group.

from featurehub.

Hi there! Just trying to probe into this ticket a bit more as I'm not sure quite what you need.

Is it intended to precreate users? You could do that using the API, and you may wish to do so as they won't have any access to anything by default.

The other thing I was thinking is you might be suggesting to prevent people logging on if they don't have the right corporate groups? If so we recommend using SAML for that as you can configure that easily on your side.

If neither of these suggestions is correct or suitable, if you could point me too some documentation where I might get a better understanding?

from featurehub.

Hi there! Just trying to probe into this ticket a bit more as I'm not sure quite what you need.

Is it intended to precreate users? You could do that using the API, and you may wish to do so as they won't have any access to anything by default.

No, by default this auth.userMustBeCreatedFirst take care of this

The other thing I was thinking is you might be suggesting to prevent people logging on if they don't have the right corporate groups? If so we recommend using SAML for that as you can configure that easily on your side.

SAML is not an option I need this on OAuth2, on IDP we have corporate groups, i need to assign groups from there and during login, these groups are recieved on featurehub as claim, and update groups on featurehub, the "control" of group by default are only in my IDP (IBM IAM), a corporate rule, Authorization user<>group are in IDP not in FeatureHub, in Featurehub only control group<>role

If neither of these suggestions is correct or suitable, if you could point me too some documentation where I might get a better understanding?

Something like role mapping on grafana, with recieve from Oauth IDP the role claim with the group equivalent in platform
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/#role-mapping

from featurehub.

Thanks for the extra info.

Because of the feature rich nature of our permissions system, we have discounted supporting this kind of capability because we cannot see how it would work. We would need more real life specific examples.

I can see from the link you showed in Grafana what you mean, but FeatureHub portfolio/group permission mapping would be required here - one presumes your claims would need to support the portfolio and groups for each set of permissions? How would you see it working more precisely? Does your IBM IAM support SCIM and would that be a better way to support it?

Thanks!
Richard

from featurehub.

How have you gotten on with the development for this?

from featurehub.

we are developing a proxy api between the identity provider group management webook and the featurehub management api, so users and groups are synchronized.

from featurehub.