[SCIM 2/4]: Add SCIM user, group, and IDP #9162
Conversation
Build on oxidecomputer#8981 and add the SCIM user provision type to users and groups. Users must have a user name, and optionally have an external id field and/or an active field. Groups must have a display name and optionally have an external id field. Also add a new SiloIdentityMode named SamlScim. A few functions have to change to account for these new variants, but not many. Silos using the SamlScim identity mode will use all the same SAML code that exists today.
| user_name TEXT, | ||
|
|
||
| active BOOL, |
There was a problem hiding this comment.
since these are SCIM-specific columns, perhaps the name ought to be scim_user_name and scim_active to make that super-duper extra clear? it's a bit uglier but it might make the code a bit easier to follow when you're reading through it in a context outside of reviewing this PR...
There was a problem hiding this comment.
I'm hesitant to - in world where we support additional user types, there may be additional overlap in these fields, and they'll no longer be SCIM specific.
There was a problem hiding this comment.
hmm, i guess i wonder if it's correct for such fields with overlapping meanings to be represented by the same columns, but i suppose we're already doing that with external_id a bit. 🤷♀️
| "/login/{}/saml/some-totally-real-saml-provider", | ||
| SILO_NAME |
There was a problem hiding this comment.
tiny style nit: could be
| "/login/{}/saml/some-totally-real-saml-provider", | |
| SILO_NAME | |
| "/login/{SILO_NAME}/saml/some-totally-real-saml-provider", |
although maybe that exceeds 80 characters, in which case 🤷♀️
There was a problem hiding this comment.
nope, still under 80! 86f0064
|
|
||
| let _silo_saml_idp: views::SamlIdentityProvider = object_create( | ||
| client, | ||
| &format!("/v1/system/identity-providers/saml?silo={}", SILO_NAME), |
There was a problem hiding this comment.
style nit: could be
| &format!("/v1/system/identity-providers/saml?silo={}", SILO_NAME), | |
| &format!("/v1/system/identity-providers/saml?silo={SILO_NAME}"), |
|
|
||
| let silo_saml_idp: views::SamlIdentityProvider = object_create( | ||
| client, | ||
| &format!("/v1/system/identity-providers/saml?silo={}", SILO_NAME), |
There was a problem hiding this comment.
tiny style nit: could be
| &format!("/v1/system/identity-providers/saml?silo={}", SILO_NAME), | |
| &format!("/v1/system/identity-providers/saml?silo={SILO_NAME}"), |
| .await; | ||
| let silo: Silo = NexusRequest::object_get( | ||
| &client, | ||
| &format!("/v1/system/silos/{}", SILO_NAME), |
There was a problem hiding this comment.
tiny style nit: could be
| &format!("/v1/system/silos/{}", SILO_NAME), | |
| &format!("/v1/system/silos/{SILO_NAME}"), |
Build on #8981 and add the SCIM user provision type to users and groups. Users must have a user name, and optionally have an external id field and/or an active field. Groups must have a display name and optionally have an external id field.
Also add a new SiloIdentityMode named SamlScim.
A few functions have to change to account for these new variants, but not many. Silos using the SamlScim identity mode will use all the same SAML code that exists today.