Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Research user and organisation metadata provisioning #4

Open
janhalen opened this issue Sep 24, 2024 · 7 comments
Open

Research user and organisation metadata provisioning #4

janhalen opened this issue Sep 24, 2024 · 7 comments

Comments

@janhalen
Copy link
Contributor

Could user provisioning via System for Cross-domain Identity Management be the way to go?

Using Authentik as IDP via OpenID connect to authenticate and authorize, there seems to be support for provisioning via a SCIM provider

I also found that Zulip has "beta" support for provisioning via SCIM https://zulip.readthedocs.io/en/stable/production/scim.html.

This seems like the most standardized way of bringing over users (and maybe groups or roles?)

Thoughts?
@janhalen
Copy link
Contributor Author

A bit of further perspectives from the Authentik team: https://goauthentik.io/blog/2023-10-05-scims-many-deviations/

@mikkeschiren
Copy link

I talked with @colin-campbell about this, and he is not so keen on using SCIM, it has it own issues.

@janhalen
Copy link
Contributor Author

janhalen commented Oct 2, 2024

Relates to an older issue from the identity-service issue-tracker #6

@janhalen
Copy link
Contributor Author

janhalen commented Oct 2, 2024
edited
Loading

I talked with @colin-campbell about this, and he is not so keen on using SCIM, it has it own issues.

I have also read critisism of SCIM, but mostly how the implementation is done, I dont have further data.

It also seems like the maintainer of the upstream Authentik project (and CTO of the Public Benefit Company, sponsoring the project) agrees with these sentiments, as expressed in this blog: https://goauthentik.io/blog/2023-10-05-SCIMs-many-deviations.

With focus on open standards, reusability and robust maintenance strategies, I am interrested in discussion what our options are for provisioning entities like Zulip channels and user mappings to those channels in a sustainable way.

@janhalen
Copy link
Contributor Author

janhalen commented Oct 2, 2024
edited
Loading

A non-standard provisioning metod possibility?

An application specific metod to managing Zulip seems to center around management commands

I found this entry point on chat.zulip.org by Tim Abbot describing how this technical concept could be explored as a provisioning solution.

Interresting metods for the provisioning could be:

Important nomenclature remark: It seems that references to the concept of "streams" in the code are equivalent to "channels" in the UI and docs.

We do need to be aware of the maintainability tasks this could bring.

The primary user stories are centered around pretty "realtime-ish" updating of organizational de/reattachments and offboarding scenarios. E.g. see some (not-yet evaluated) user-stories here:

OS2sandbox/sandbox-myndighedsidentitet-issues#76
OS2sandbox/sandbox-myndighedsidentitet-issues#70

@janhalen janhalen mentioned this issue Oct 2, 2024
Closed
2 tasks
@janhalen
Copy link
Contributor Author

janhalen commented Oct 2, 2024

A modern REST API standard method

Theres also an API possibility, especially https://zulip.com/api/subscribe seems to be a fitting endpoint to use

@mikkeschiren
Copy link

On the CLI-level (manage.py), I tested out creating the organisation on first startup, in the same way, provisioning could be done of channels (streams) and adding users to those streams.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikkeschiren @janhalen