1.8 KiB
SSE CCO_id work discussion
[2021-10-28 Thu 14:52]
So after giving more thoughts on the subject. Here are some scenarios:
- A person login via Okta with the email
user-1@domain.com
- This person want to connect his account, then he must login via Okta
again but using another Okta account
user-1@smart-account.com
for example.
In this scenario there are two issues:
The first is that we do not control the Okta session.
The Okta session will keep being the one for user-1@smart-account.com
.
When the user will launch another product he will not use his usual
user-1@domain.com
Okta session.
The second, is that we should have a mechanism to understand that on the second login, we don't want to login the user, but to merge two different IdP accounts.
Mainly we will need to develop a new workflow, so a user could merge multiple IdP accounts to his current SecureX account.
The implications are:
- SecureX users should support multiple email addresses. (also note that user login via TG have a non verified email addresses and are treated separately on different login flows.)
- We need to support more metas data in the IdP Mappings in general, (typically the CCO_id). Now, what if a user login multiple times, and has two different IdP Mapping with a different CCO_id.
- We will need to provide a new route, that will present a new HTML page similar to the login page but with subtle modifications. We might, for example, negotiate another login buttons that will behave differently (typically a login button forcing the user to use CCO).
In the end, it means we should deliver a "Merge a new Login" flow to SecureX Accounts. And it doesn't seem to be trivial.