-
Notifications
You must be signed in to change notification settings - Fork 827
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: external group memberships should have correct origin #3033
Conversation
External group memberships determined from processing an OIDC or SAML login should be stored with the origin of the identity provider and not the default uaa origin. Change-Id: I7a3fb410d3ef781398f356b0df3a6973a5836c4c
…ext-group-origin # Conflicts: # server/src/test/java/org/cloudfoundry/identity/uaa/scim/bootstrap/ScimUserBootstrapTests.java
please check if my rebase is Ok for you. Sonar is green: https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent&pullRequest=3033 The issue is known but I was not sure in the past, wheather this is a bug or feature , so from our side (SAP) we can agree to this change but from @hsinn0 @peterhaochen47 broadcom side you should check as well |
Yes the rebase looks fine to me |
Thanks, we will take a look at this. |
We will try to find out whether the existing implementation was intentional or an oversight, and also if there is anything out there that depends on the current behavior. |
@hsinn0, It is causing an actual issue for me. |
Here is my guess/understanding after a quick read of the existing code: It looks like The external IDP users ( What is the actual issue you are seeing? What is your use case? |
In addition to processing users in the server config, it also receives events like ExternalGroupAuthorizationEvent, used to process external groups during external logins. Anyway, my commit still works for users processed from the server config. |
I see. Yeah I don't see any issues with this PR then. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving and merged to develop
.
fix for issue 3069 The change #3033 forbids the user and group creation with UAA origin but assigns always the origin from the user itself This breaks the scim user bootstrapping from uaa.yml. Separate the create user into - from uaa.yml (propertiesSetup) - from shadow user creation In case of propertiesSetup and LDAP origin we allow again the creation of group assignments to UAA origin
External group memberships determined from processing an OIDC or SAML login should be stored with the origin of the identity provider and not the default uaa origin.