-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide SCIM2 roles based outbound provisioning #5893
base: master
Are you sure you want to change the base?
Provide SCIM2 roles based outbound provisioning #5893
Conversation
PR builder started |
PR builder completed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/10630328699
@@ -174,7 +175,16 @@ public boolean doPreSetUserClaimValues(String userName, Map<String, String> inbo | |||
outboundAttributes); | |||
|
|||
// set the in-bound attribute list. | |||
provisioningEntity.setInboundAttributes(inboundAttributes); | |||
Map<String, String> provisioningAttributes = new HashMap<>(inboundAttributes); | |||
if (IdentityUtil.threadLocalProperties.get().get("newClaimList") instanceof HashMap<?,?>) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Provide appropriate constant.
List<String> roleListOfUser = getUserRoles(userName, tenantDomain); | ||
if (userHasProvisioningRoles(roleListOfUser, provisioningRoleList, userName)) { | ||
List<String> groupListOfUser = getUserGroups(userName, tenantDomain); | ||
groupRoleListOfUser.addAll(groupListOfUser); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Provisioning allowed list contains list of role-uuids and group names
Ex: "2642fb7a-58df-4608-aff9-b90aa73bcc51,group2"
In order to check a matching role or group, the user roles and groups are combined.
@@ -560,13 +561,19 @@ public static boolean isUserTenantBasedOutboundProvisioningEnabled() { | |||
public static boolean isOutboundProvisioningEnabled(String serviceProviderIdentifier, | |||
String tenantDomainName) throws IdentityApplicationManagementException { | |||
|
|||
if (!isApplicationBasedOutboundProvisioningEnabled()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/* After group role separation, the internal roles should be not be provisioned. Only groups should be | ||
provisioned. | ||
*/ | ||
if (isInternalRole(provisioningEntity.getEntityName(), tenantDomain)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a comment saying the entity name can be group name or role-uuid depending on group or role assignment for a user. Hence need to check whether group or role to only allow provisioning groups.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better way to stop role get provisioned.
return; | ||
} | ||
ProvisioningServiceDataHolder.getInstance().getDefaultInboundUserProvisioningListener() | ||
.doPostUpdateUserListOfRole(roleId, deletedUserNames, newUserNames, userStoreManager); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check why this method didn't get invoked in previous way.
@@ -679,7 +690,7 @@ private ProvisioningEntity getInboundProvisioningEntity(ProvisioningEntity provi | |||
IdentityProvisioningConstants.USERNAME_CLAIM_URI, null, null, false), | |||
Arrays.asList(new String[]{userName})); | |||
} | |||
List<String> roleListOfUser = getUserRoles(userName, tenantDomain); | |||
List<String> roleListOfUser = getUserGroups(userName, tenantDomain); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we change the variable name also accordingly?
Proposed changes in this pull request
The SCIM2 role based outbound provisioning is provide by this PR.
When role updates, a listener is introduced to be executed to provision the users to the outbound connectors.
Related Issues
The role based outbound provisioning worked for both groups and roles previously. A coma separated role name list is passed in the API payload.
But with IS 7.0, role name is not unique in a given tenant. Hence role uuid is used when referring roles.
The group based outbound provisioning can be separately handled (Adding another column or IDP property to keep the groups for outbound provisioning) instead of having under the list of outbound roles, but in this PR the roles& groups still kept in same list and process.