fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Just In Time Provisioning of FusionAuth admin users

Open kostacasa opened this issue 3 years ago • 3 comments

JIT user provisioning for specific inbound SSO applications

Problem

We would like to SSO users from our workforce identity provider into the FusionAuth administrative console without having to provision the users on FusionAuth side first. If this was possible, we could utilize Google Workspace group permissions and provisioning to control and grant access to FusionAuth without requiring additional manual steps.

Solution

Have the ability to configure SAML SSO in a way that auto-provisions users on FusionAuth side. Ideally if this supported group mappings, we could then also map our external IdP's groups to FusionAuth roles. Another option would be to support SCIM for Google Workspace specifically.

Solution Details

Allow the FusionAuth app to have "Create registration" be enabled in the IdP configuration. And then assign the preferred default role during authentication, you will utilize a reconcile lambda for the IdP.

Example:

// If FusionAuth app, and no roles have been defined, default to user_support_manager
if (registration.applicationId == '3c219e58-ed0e-4b18-ad48-f4f92793ae32' && registration.roles.length === 0) {
  registration.roles = ['user_support_manager'];
}

Alternatives/workarounds

We would need to build some custom onboarding flow that would provision users in FusionAuth via some separate API calls before enabling SSO access.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

kostacasa avatar Oct 07 '22 21:10 kostacasa

It might be worth investigating SCIM a bit more and see if we can figure out how to provision into FusionAuth from Google Workspace.

https://support.google.com/a/answer/6087519?ref_topic=7559288 indicates how you can add your own SAML apps to a google workspace, which seems to be a prereq. https://community.netskope.com/t5/Additional-Discussions/SCIM-Based-User-Provisioning-with-GSuite/td-p/310 implies you can provision users even for apps not in the preselected app catalog: https://support.google.com/a/table/9217027

mooreds avatar Oct 08 '22 01:10 mooreds

That's right, Google Workspace does support custom SAML apps and IdP initiated SSO for them.

The enhancement for FusionAuth would be to check for the existence of a user for the provided SAML principal (which could be the user e-mail), and then automatically create that user if it doesn't exist. We would need to be able to configure which external IdPs would be eligible for JIT provisioning of users, in our case it would be the employee directory.

kostacasa avatar Oct 08 '22 16:10 kostacasa

Internal

  • https://github.com/FusionAuth/fusionauth-app/pull/148

robotdan avatar Oct 20 '22 19:10 robotdan