Provide SCIM2 roles based outbound provisioning #5893
Conversation
|
PR builder started |
|
PR builder completed |
There was a problem hiding this comment.
Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/10630328699
| @@ -174,7 +175,16 @@ public boolean doPreSetUserClaimValues(String userName, Map<String, String> inbo | |||
| outboundAttributes); | |||
|
|
|||
| // set the in-bound attribute list. | |||
| provisioningEntity.setInboundAttributes(inboundAttributes); | |||
| Map<String, String> provisioningAttributes = new HashMap<>(inboundAttributes); | |||
| if (IdentityUtil.threadLocalProperties.get().get("newClaimList") instanceof HashMap<?,?>) { | |||
There was a problem hiding this comment.
Provide appropriate constant.
| List<String> roleListOfUser = getUserRoles(userName, tenantDomain); | ||
| if (userHasProvisioningRoles(roleListOfUser, provisioningRoleList, userName)) { | ||
| List<String> groupListOfUser = getUserGroups(userName, tenantDomain); | ||
| groupRoleListOfUser.addAll(groupListOfUser); |
There was a problem hiding this comment.
Provisioning allowed list contains list of role-uuids and group names
Ex: "2642fb7a-58df-4608-aff9-b90aa73bcc51,group2"
In order to check a matching role or group, the user roles and groups are combined.
| @@ -560,13 +561,19 @@ public static boolean isUserTenantBasedOutboundProvisioningEnabled() { | |||
| public static boolean isOutboundProvisioningEnabled(String serviceProviderIdentifier, | |||
| String tenantDomainName) throws IdentityApplicationManagementException { | |||
|
|
|||
| if (!isApplicationBasedOutboundProvisioningEnabled()) { | |||
There was a problem hiding this comment.
| /* After group role separation, the internal roles should be not be provisioned. Only groups should be | ||
| provisioned. | ||
| */ | ||
| if (isInternalRole(provisioningEntity.getEntityName(), tenantDomain)) { |
There was a problem hiding this comment.
Add a comment saying the entity name can be group name or role-uuid depending on group or role assignment for a user. Hence need to check whether group or role to only allow provisioning groups.
There was a problem hiding this comment.
Better way to stop role get provisioned.
| return; | ||
| } | ||
| ProvisioningServiceDataHolder.getInstance().getDefaultInboundUserProvisioningListener() | ||
| .doPostUpdateUserListOfRole(roleId, deletedUserNames, newUserNames, userStoreManager); |
There was a problem hiding this comment.
Check why this method didn't get invoked in previous way.
| @@ -679,7 +690,7 @@ private ProvisioningEntity getInboundProvisioningEntity(ProvisioningEntity provi | |||
| IdentityProvisioningConstants.USERNAME_CLAIM_URI, null, null, false), | |||
| Arrays.asList(new String[]{userName})); | |||
| } | |||
| List<String> roleListOfUser = getUserRoles(userName, tenantDomain); | |||
| List<String> roleListOfUser = getUserGroups(userName, tenantDomain); | |||
There was a problem hiding this comment.
Can we change the variable name also accordingly?
Proposed changes in this pull request
The SCIM2 role based outbound provisioning is provide by this PR.
When role updates, a listener is introduced to be executed to provision the users to the outbound connectors.
Related Issues
The role based outbound provisioning worked for both groups and roles previously. A coma separated role name list is passed in the API payload.
But with IS 7.0, role name is not unique in a given tenant. Hence role uuid is used when referring roles.
The group based outbound provisioning can be separately handled (Adding another column or IDP property to keep the groups for outbound provisioning) instead of having under the list of outbound roles, but in this PR the roles& groups still kept in same list and process.