2.9 KiB
Work Time Tracker
add idp-mapping during org creation
The Org
schema contains an optional field named idp-mapping
:
(s/defschema OrgIdPMapping
(st/open-schema
{:idp (describe s/Str "Internal idp-id")
:organization-id (describe s/Str "the organization id provided by the IdP")
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")}))
(s/defschema NewOrg
"Org before being saved to DB"
(st/merge
{:id s/Str}
(st/optional-keys
{,,,
:idp-mapping OrgIdPMapping
,,
})))
To support CSA Migration it should be replaced by:
(s/defschema OrgIdPMapping
{:idp (describe s/Str "Internal idp-id")
:organization-id (describe s/Str "the organization id provided by the IdP")
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")})
(s/defschema NewOrg
"Org before being saved to DB"
(st/merge
{:id s/Str
:idp-mapping OrgIdPMapping}
(st/optional-keys
{:old-idp-mapping OrgIdPMapping
,,,
})))
This issue is about a first step toward this goal.
So at the end of this issue the schemas should be:
(s/defschema OrgIdPMapping
{:idp (describe s/Str "Internal idp-id")
(s/optional-key :organization-id) (describe s/Str "the organization id provided by the IdP")
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")})
(s/defschema NewOrg
"Org before being saved to DB"
(st/merge
{:id s/Str}
(st/optional-keys
{:idp-mapping OrgIdPMapping
,,,
})))
So, depending on the Identity Provider (IdP) some provide an
organization-id
some don't.
IROH-Auth currently work with 3 IdPs:
- IDB AMP (stand for Identity Broker that proxy the SAML AMP/Castle Identity Provider)
- IDB TG (Identity Broker proxy the Threatgrid OpenID Connect)
- SxSO (Okta)
SxSO is the only IdP from which we do not care about the organization-id
.
So organization created through login via IDB AMP or IDB TG will be called
managed orgs. Mainly the IdP is responsible for the name of the org-id
.
For managed orgs, we create the org using the function iroh-auth.iroh-auth-service.core/sync-user-org
.
Which will use the value returned by iroh-auth.org-service.core/get-org-by-session-infos
.
So this last function should be modified to always have a field
idp-mapping
.
During logins via SxSO (or any IdP that does not manage orgs) the
organization-id
must not be set.
During logins via AMP or TG (or any IdP that manage orgs ) the
organization-id
of the OrgIdPMapping
must be set to the value returned
by the IdP.
Note there might be some work to get the information if some IdP manage org
or not.
This information is put in config.edn
.
Every IdP has a :manage-orgs
field.