Development #5385
Add service provisioning
0%
Description
The "actions" sidepane of the user popup could gain a new "Provision Service" button, that would let the admin pick a service, and would next (probably in a background task on the server) initiate a SSO request to the given service, so the user is created over there.
Historique
Mis à jour par Benjamin Dauvergne il y a plus de 9 ans
The button is easy, the rest a little less ;)
First I would support two new possible methods to IDPBAckend:- list_services(), it returns a list of Service objects (POP "Plain Old Python" objects) which have a name and a label
- deprovision_service(service_name, user) which deprovision a user on a service
- provision_service(service_name, user) which provision a user on a service
I would implement the button/dialogs around that.
That's for the abstract interface part. Not let's talk about protocols.
On the SAML implementation front, in the current case provision_sso() would make a simulated IdP initiated SSO using request() (prototype implemented in authentic2.views.EditProfile, it should be removed and EditProfile should use the new generic API) and deprovision would just set unlink the federation from the user object, because NameIdManagement is still not implemented.
I do not know if provisionning is possible with OAuth2. I imagine that we could fake an OAuth2 return but evil lies in the details.
CAS would be easy.
OpenID is like OAuth2, it seems difficult to go outside the normal workflow but it sould be possible. It's not really important as nobody use it really anymore.
Mis à jour par Victor Claudet il y a plus de 9 ans
just a little reminder. Because that feature would be really sweet for admin users.
Mis à jour par Benjamin Dauvergne il y a environ 9 ans
- Priorité changé de Normal à Bas
Superseded by proper access and autorization control support, but still useful for a lot of cases in the future.