Add multi-ingress domains to SCIM IdPs#4778
Conversation
supersven
force-pushed
the
sventennie/scim-idp-with-domain
branch
from
5b2b73f to
559a318
Compare
zebot
added
the
ok-to-test
supersven
changed the title
supersven
force-pushed
the
sventennie/scim-idp-with-domain
branch
from
6a8da79 to
c2457d1
Compare
|
Hey @fisx 👋 May I ask you to review this? This PR touches sensitive areas and you surely have most knowledge/context here... |
| in later lookups, at most one IdP can be configured per multi-ingress domain. | ||
| If multi-ingress is not configured or it's not configured for the specific | ||
| domain, no `domain` field gets added to the IdP. This guards against creating | ||
| multiple IdPs and then assigning them to multi-ingress domains. Thus, users who |
There was a problem hiding this comment.
you mean "guards against a team having no multi-ingress, but several idps that are only distinguished by domain (because domain is part of the database key)?
we do allow several idps per team, though, right? except there is some complication with scim and saml, and associating the two for one ipd, not sure what the current implementation status there is.
not sure this makes sense, but i'll leave it as a note to self so i can clarify later.
There was a problem hiding this comment.
For your future self:
- We allow several IdPs per team (
v2API, not inv1) in general- But, you cannot have the same IdP twice in one team.
- For multi-ingress, we have to restrict that because we want to provide one SSO code for an email per domain. So, the mapping
(domain, team) -> IdPhas to be bijective.- Technically, this is implemented with assertions in the
/identity-providersendpoints (not at database level).
- Technically, this is implemented with assertions in the
- multi-ingress is configured on domain level. If there's a domain that is not configured, the team may have many IdPs for it. If it is configured, there can only be one.
Sorry for the late answer. However, I hope it helps 😅
supersven
force-pushed
the
sventennie/scim-idp-with-domain
branch
from
79ef8f4 to
533140c
Compare
@copilot please restart |
|
@supersven I've opened a new pull request, #4880, to work on those changes. Once the pull request is ready, I'll request review from you. |
We have to set some constraints on this field that wouldn't fit in the general case.
This should be up-to-date with what the migrations create.
Just guard against any regressions.
supersven
force-pushed
the
sventennie/scim-idp-with-domain
branch
from
c2b397d to
d97317d
Compare
|
Rebased on latest |
Ticket: https://wearezeta.atlassian.net/browse/WPB-20052
Checklist
changelog.d