Backward compatibility for IAM "CIS" user profile & current auth0 user profile


(kang) #1

Hi,

As discussed in our IAM Tech alignment meeting today, which this email is
the follow-up of:

  • The current user profile from auth0 includes a “groups” attribute that
    contains LDAP groups, such as “groups”: [“posixSysadmins”, “mana”, …]
  • Some RPs use this groups attribute, but we can’t figure out which ones
    from our side (except for the ones we already know of), thus removing this
    attribute without warning would break RPs
  • We currently have 91 RPs

Proposal (to discuss):

  • keep the “groups” attribute for all RPs when we turn on CIS, but do not
    send it to new RPs after this
  • keep the “groups” as is (i.e. filled with LDAP groups as they look like
    today) to ensure compatibility
  • inform RPs that if they use that attribute the should switch to the new
    groups model which is much nicer and more powerful

Discuss !

Guillaume


(Jbryner) #2

91 RPs in auth0 or 91 total between okta/auth0?


(kang) #3

Both - about 60 in auth0 prod