Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
Description
the DefaultSyncConfig comes with a configuration option PARAM_USER_AUTO_MEMBERSHIP indicating the set of groups a given external user must always become member of upon sync into the repository.
this results in groups containing almost all users in the system (at least those synchronized form the external IDP). while this behavior is straight forward (and corresponds to the behavior in the previous crx version), it wouldn't be necessary from a repository point of view as a given Subject can be populated from different principal sources and dealing with this kind of dynamic-auto-membership was a typical use-case.
what does that mean:
instead of performing the automembership on the user management, the external authentication setup could come with an auto-membership PrincipalProvider implementation that would expose the desired group membership for all external principals (assuming that they were identified as such).
tripod, do you remember if that was ever an option while building the oak-auth-external module? if not, could that be worth a second thought also in the light of OAK-3933?
Attachments
Attachments
Issue Links
- blocks
-
OAK-4679 Backport OAK-4119, OAK-4101, OAK-4087 and OAK-4344
- Closed
- is related to
-
OAK-3933 potential improvements to membership management
- Open
-
OAK-2687 Introduce Dynamic Groups
- Resolved
- relates to
-
OAK-5195 ExternalPrincipalConfiguration uses 'group.autoMembership' instead of 'user.autoMembership'
- Closed
-
OAK-5194 'Dynamic' Automembership should respect both User and Group Config Values
- Closed
- requires
-
OAK-4101 Consider separate external (group) principal management
- Closed