Red Hat Bugzilla – Bug 1469173
[RFE] Automatic group / membership sync from external IdP
Last modified: 2018-01-25 16:48:59 EST
From the RFE template:
> 3. What is the nature and description of the request?
Group synchronization is only possible through a manual intervention or through a scheduled job that needs to be configured by the administrators (e.g. CronJobs).
This only allows synchronization from an external LDAP and not from any other IdP supporting Groups and memberships, like RH SSO.
After a user logs in for the first time, even though a synchronization has taken place, the user will only belong to the preconfigured groups (e.g. system:authenticated) but not to the groups the user belongs to in the IdP (or IdPs). Then the administrator should need to synchronize the groups again.
> 4. Why does the customer need this? (List the business requirements here)
The customer has an Active Directory with more than 18.000 groups and also a RH SSO with this Active Directory configured and would like to be simplify and automate the synchronization after a membership is modified, a user is created or a user is logged into Openshift for the first time.
> 5. How would the customer like to achieve this? (List the functional requirements here)
- As a user existing in the external IdP belonging to group A I would like to belong to the same groups after login into Openshift for the first time.
- As an administrator I would like to be able to automate the group/membership synchronization or simplify it using the configuration.
- As an administrator I would like to be able to synchronize groups/memberships from RH SSO
> 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
- A user John belongs to group DEVELOPERS in the external IdP. Group DEVELOPERS already exists in Openshift and has the Admin role on project "Demo". When John logs into Openshift for the first time, he has admin role due to his membership to group DEVELOPERS
- In the IdentityProviders configuration for the master-config.yaml file. The administrator can configure if he/she wants to automatically sync the groups and provide a frequency in a cron format
- Openshift configured with RH SSO as one of its external IdP should be able to synchronize the existing groups of the realm used and all the existing memberships.
> 10. List any affected packages or components.
(In reply to Ruben Romero Montes from comment #0)
> After a user logs in for the first time, even though a synchronization has
> taken place, the user will only belong to the preconfigured groups (e.g.
> system:authenticated) but not to the groups the user belongs to in the IdP
> (or IdPs). Then the administrator should need to synchronize the groups
I do not think this is accurate. If a group sync is executed, the resulting Group record in OpenShift will contain all users from LDAP, regardless of whether they have logged in previously to OpenShift or not. As soon as a user logs in for the first time, they will have privileges automatically, as they are already listed as a member of the group.
The only requisite configuration for this is that user's identity mappings are the same for authentication and authorization (e.g. they are identified by the same LDAP attribute in OpenShift for both systems).
> - A user John belongs to group DEVELOPERS in the external IdP. Group
> DEVELOPERS already exists in Openshift and has the Admin role on project
> "Demo". When John logs into Openshift for the first time, he has admin role
> due to his membership to group DEVELOPERS
If the original group sync occurred when John was in the DEVELOPERS group in LDAP but had not logged in to OpenShift for the first time, as above, this should already work as you describe.