Hi,
As discussed in our IAM Tech alignment meeting today, which this email is
the follow-up of:
- The current user profile from auth0 includes a “groups” attribute that
contains LDAP groups, such as “groups”: [“posixSysadmins”, “mana”, …] - Some RPs use this groups attribute, but we can’t figure out which ones
from our side (except for the ones we already know of), thus removing this
attribute without warning would break RPs - We currently have 91 RPs
Proposal (to discuss):
- keep the “groups” attribute for all RPs when we turn on CIS, but do not
send it to new RPs after this - keep the “groups” as is (i.e. filled with LDAP groups as they look like
today) to ensure compatibility - inform RPs that if they use that attribute the should switch to the new
groups model which is much nicer and more powerful
Discuss !
Guillaume