Project

General

Profile

Development #5385

Add service provisioning

Added by Frédéric Péters over 5 years ago. Updated almost 5 years ago.

Status:
Nouveau
Priority:
Bas
Assignee:
-
Category:
-
Target version:
Start date:
04 Sep 2014
Due date:
% Done:

0%

Patch proposed:
No
Planning:
No

Description

The "actions" sidepane of the user popup could gain a new "Provision Service" button, that would let the admin pick a service, and would next (probably in a background task on the server) initiate a SSO request to the given service, so the user is created over there.

History

#1 Updated by Benjamin Dauvergne over 5 years ago

The button is easy, the rest a little less ;)

First I would support two new possible methods to IDPBAckend:
  • list_services(), it returns a list of Service objects (POP "Plain Old Python" objects) which have a name and a label
  • deprovision_service(service_name, user) which deprovision a user on a service
  • provision_service(service_name, user) which provision a user on a service

I would implement the button/dialogs around that.

That's for the abstract interface part. Not let's talk about protocols.

On the SAML implementation front, in the current case provision_sso() would make a simulated IdP initiated SSO using request() (prototype implemented in authentic2.views.EditProfile, it should be removed and EditProfile should use the new generic API) and deprovision would just set unlink the federation from the user object, because NameIdManagement is still not implemented.

I do not know if provisionning is possible with OAuth2. I imagine that we could fake an OAuth2 return but evil lies in the details.

CAS would be easy.

OpenID is like OAuth2, it seems difficult to go outside the normal workflow but it sould be possible. It's not really important as nobody use it really anymore.

#2 Updated by Victor Claudet about 5 years ago

just a little reminder. Because that feature would be really sweet for admin users.

#3 Updated by Benjamin Dauvergne almost 5 years ago

  • Priority changed from Normal to Bas

Superseded by proper access and autorization control support, but still useful for a lot of cases in the future.

#4 Updated by Benjamin Dauvergne almost 5 years ago

  • Target version set to future

Also available in: Atom PDF