Details
-
Type:
Story
-
Status: Resolved
-
Priority:
Last
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 3.0.0
-
Component/s: None
-
Labels:None
-
Sprint:2024-02 #2, 2024-03 #1, 2024-03 #2, 2024-04 #1
-
Account:GUM Delegation 2024 (KER-IDS-GZL-DELEGATION-2024)
-
Epic Link:
-
Program Increment:None
-
Targeted team:Default
-
Teams:
Description
Update user attributes at delegation authentication.
Update firstName, lastName, email, roles... => depends on custom IDP attribute mapping.
1. external user login into external IDP
2. external user logs into gazelle.
3. Gazelle find its account using the externalID in delegated users.
4. Gazelle logs in the external user.
5. Gazelle compare attributes of the token and the db (with ext IDP attribute-mapper)
6. if there is a difference, Gazelle update the attributes in Gazelle db.
7. Always set activated to true (if user is logged in from the external IDP, it means the account is activated and should not be deactivated in Gazelle).
/!\ may cause account collision with local user on email. low probability. => Will fail the update and block the login. Display meaningful message to the user. This may require an admin access to disable and neutralize the email of the local account.
---- Technical detail ----
Use RequiredActionProvider to update attributes if they are differents. May not need to call the attribute mapper ourself if the given UserModel is already transformed.
Do not call current EditService, use a new updateDelegate, because business rules are differents, as example we do not need to deactivate the account in case of email update.
3-5d
Note : usage of Keycloak mappers to update user attributes (firstName, lastName, email) + roles with mapping between external roles and gazelle roles.
The attribute update is well performed when the mappers are configured. The activated status update had to be implemented.
Update firstName, lastName, email, roles... => depends on custom IDP attribute mapping.
1. external user login into external IDP
2. external user logs into gazelle.
3. Gazelle find its account using the externalID in delegated users.
4. Gazelle logs in the external user.
5. Gazelle compare attributes of the token and the db (with ext IDP attribute-mapper)
6. if there is a difference, Gazelle update the attributes in Gazelle db.
7. Always set activated to true (if user is logged in from the external IDP, it means the account is activated and should not be deactivated in Gazelle).
/!\ may cause account collision with local user on email. low probability. => Will fail the update and block the login. Display meaningful message to the user. This may require an admin access to disable and neutralize the email of the local account.
---- Technical detail ----
Use RequiredActionProvider to update attributes if they are differents. May not need to call the attribute mapper ourself if the given UserModel is already transformed.
Do not call current EditService, use a new updateDelegate, because business rules are differents, as example we do not need to deactivate the account in case of email update.
3-5d
Note : usage of Keycloak mappers to update user attributes (firstName, lastName, email) + roles with mapping between external roles and gazelle roles.
The attribute update is well performed when the mappers are configured. The activated status update had to be implemented.
