Add service provisioning
The "actions" sidepane of the user popup could gain a new "Provision Service" button, that would let the admin pick a service, and would next (probably in a background task on the server) initiate a SSO request to the given service, so the user is created over there.
#1 Updated by Benjamin Dauvergne over 5 years ago
The button is easy, the rest a little less ;)First I would support two new possible methods to IDPBAckend:
- list_services(), it returns a list of Service objects (POP "Plain Old Python" objects) which have a name and a label
- deprovision_service(service_name, user) which deprovision a user on a service
- provision_service(service_name, user) which provision a user on a service
I would implement the button/dialogs around that.
That's for the abstract interface part. Not let's talk about protocols.
On the SAML implementation front, in the current case provision_sso() would make a simulated IdP initiated SSO using request() (prototype implemented in authentic2.views.EditProfile, it should be removed and EditProfile should use the new generic API) and deprovision would just set unlink the federation from the user object, because NameIdManagement is still not implemented.
I do not know if provisionning is possible with OAuth2. I imagine that we could fake an OAuth2 return but evil lies in the details.
CAS would be easy.
OpenID is like OAuth2, it seems difficult to go outside the normal workflow but it sould be possible. It's not really important as nobody use it really anymore.