New feature request: Inherit group from OpenID login from upstream IdP

[DonaldChung-HK]

The Problem To Be Solved Current INDIGO IAM is unable to extract the group information from upstream OpenID IdP. this is not ideal as the user will lose all the group information. To support our deployment, we hope that the IAM is able to extract group information from the upstream IAM. Thus, allowing the INDIGO IAM to operate on a more federated fashion.

Solution suggestion

• Extract group information from upstream IdP
  1. When a user login via OIDC, a openID JWT token is sent from the upstream IdP containing user group
  2. The IAM can extract the information and place all the groups under <upstream-idp-name>/*
  3. Synchronisation occur that will synchronise with upstream IdP every time the user login via OIDC.
• Caveats and considerations for the future
  • May need a way to force a certain user to login via OIDC so that the group information to sync

[giacomini]

Some preliminary questions:

• Do you envision these groups to be read-only? i.e. there is no group manager, there is no possibility to add/remove users from these groups, etc.
• Do these groups always end up in the groups/entitlements claim of tokens issued by the downstream IAM? or are they optional?
• How do you choose the upstream-idp-name?

[DonaldChung-HK]

Answer to the above:

• Do you envision these groups to be read-only?
  • Yes as some project wish to have a centralized option to manage groups and entitlements
• Do these groups always end up in the groups/entitlements claim of tokens issued by the downstream IAM? or are they optional?
  • I think that having a variable within the IAM to control the activation would be helpful
• How do you choose the upstream-idp-name?
  • Only OIDC should be supported can it be set as an additional variable in the application-oidc.yaml file attached to the OIDC IdP?