# Created 2020-09-29 Tue 14:43 #+TITLE: Work Time Tracker #+AUTHOR: Yann Esposito * add idp-mapping during org creation - ref :: https://github.com/threatgrid/iroh/issues/4204 The =Org= schema contains an optional field named =idp-mapping=: #+begin_src clojure (s/defschema OrgIdPMapping (st/open-schema {:idp (describe s/Str "Internal idp-id") :organization-id (describe s/Str "the organization id provided by the IdP") :enabled? (describe s/Bool "Do we allow the connection through this IdP?")})) (s/defschema NewOrg "Org before being saved to DB" (st/merge {:id s/Str} (st/optional-keys {,,, :idp-mapping OrgIdPMapping ,, }))) #+end_src To support CSA Migration it should be replaced by: #+begin_src clojure (s/defschema OrgIdPMapping {:idp (describe s/Str "Internal idp-id") :organization-id (describe s/Str "the organization id provided by the IdP") :enabled? (describe s/Bool "Do we allow the connection through this IdP?")}) (s/defschema NewOrg "Org before being saved to DB" (st/merge {:id s/Str :idp-mapping OrgIdPMapping} (st/optional-keys {:old-idp-mapping OrgIdPMapping ,,, }))) #+end_src This issue is about a first step toward this goal. So at the end of this issue the schemas should be: #+begin_src clojure (s/defschema OrgIdPMapping {:idp (describe s/Str "Internal idp-id") (s/optional-key :organization-id) (describe s/Str "the organization id provided by the IdP") :enabled? (describe s/Bool "Do we allow the connection through this IdP?")}) (s/defschema NewOrg "Org before being saved to DB" (st/merge {:id s/Str} (st/optional-keys {:idp-mapping OrgIdPMapping ,,, }))) #+end_src So, depending on the Identity Provider (IdP) some provide an =organization-id= some don't. IROH-Auth currently work with 3 IdPs: - IDB AMP (stand for Identity Broker that proxy the SAML AMP/Castle Identity Provider) - IDB TG (Identity Broker proxy the Threatgrid OpenID Connect) - SxSO (Okta) SxSO is the only IdP from which we do not care about the =organization-id=. So organization created through login via IDB AMP or IDB TG will be called /managed orgs/. Mainly the IdP is responsible for the name of the =org-id=. For managed orgs, we create the org using the function =iroh-auth.iroh-auth-service.core/sync-user-org=. Which will use the value returned by =iroh-auth.org-service.core/get-org-by-session-infos=. So this last function should be modified to always have a field =idp-mapping=. During logins via SxSO (or any IdP that does not manage orgs) the =organization-id= must not be set. During logins via AMP or TG (or any IdP that manage orgs ) the =organization-id= of the =OrgIdPMapping= must be set to the value returned by the IdP. Note there might be some work to get the information if some IdP manage org or not. This information is put in =config.edn=. Every IdP has a =:manage-orgs= field.