Content
View differences
Updated by Pavel Balashou about 1 year ago
**As** an administrator
**I want to** have a UI to manage SCIM clients,
**so that** certain aspects of SCIM integration can be configured.
**Acceptance criteria**
* There is a UI to configure SCIM clients at `/admin/settings/authentication`
* _Note parimal: border box approach + blankslate_
* Each SCIM client automatically creates an associated service account
* `scim_v2` scope is validated during SCIM Client authentication
* It should be communicated to admins that JWTs must contain the scope, for instance
* Per SCIM client we can configure:
* Name
* Authentication provider
* Select box with options (values come from the db), _eg. Keycloak, Nextcloud Hub_
* Authentication method. **It can be set during creation process only.** method
* External:
* SSO: 1 input ("Subject claim")
* Caption: _For example, for Keycloak, this is the UUID of the service account associated with the SCIM client. Check the documentation to how to find the subject claim for your use case._
* ??? `scim_v2` scope is validated during SCIM Client authentication
* It should be communicated to admins that JWTs must contain the scope, for instance
* Internal, two options: optiond
* OAuth2:
* outputs client ID and secret in a popup once after creation. _(regular style comparable to storages)_
* Static access token
* outputs token in a popup once after creation ID
* all tokens are listed info: expires in a table on edit page
* token 1 year, can be revoked
renewed
* it means that token is not usable anymore and marked as revoked in the token table
* tokens can be added
* For generated access tokens table has:
* Token generation date
* Who generated token
* ??? Who revoked token?
* Expiry date
* Actions: revoke
* Configured SCIMs clients are visible in a borderBox list
* list, with actions:
* Delete
(Danger dialog, _come up with text_)
* Danger dialog,
_Caption: Are you sure you want to delete this SCIM client? Users managed by this SCIM client will no longer be updated by it._
Edit
* Edit
page is like create page
* For generated access tokens, there's a list of available ones with columns: two info:
* Name Token generation date
* Number of users provisioned by that client Expiry date
* SCIM client creator
Actions: delete
* creation date
Note: the context of the token (so the actual token value itself) cannot be shown, it's a one-time thing
* The admin can generate additional tokens (create action)
**Permissions and visibility considerations**
* Administrators
**Translation considerations**
* _TODO: check existing keys_
**Out of scope**
* Choosing TTL of generated tokens
* Reminder emails to admins about expiring and/or expired tokens
* Identity of who generated or deleted tokens (for auditing)
**I want to** have a UI to manage SCIM clients,
**so that** certain aspects of SCIM integration can be configured.
**Acceptance criteria**
* There is a UI to configure SCIM clients at `/admin/settings/authentication`
*
*
* It should be communicated to admins that JWTs must contain the scope, for instance
*
* Name
* Authentication provider
* Select box with options (values come from the db), _eg. Keycloak, Nextcloud Hub_
* Authentication method. **It can be set during creation process only.**
* External:
* SSO: 1 input ("Subject claim")
* Caption: _For example, for Keycloak, this is the UUID of the service account associated with the SCIM client. Check the documentation to how to find the subject claim for your use case._
* It should be communicated to admins that JWTs must contain the scope, for instance
* Internal, two options:
* OAuth2:
* outputs client ID and secret in a popup once after creation.
* Static access token
* outputs token in a popup once after creation
* all tokens are listed
* token
* tokens can be added
* For generated access tokens table has:
* Token generation date
* Who generated token
* ??? Who revoked token?
* Expiry date
* Actions: revoke
* Configured SCIMs clients are visible in a borderBox list
*
_Caption: Are you sure you want to delete this SCIM client? Users managed by this SCIM client will no longer be updated by it._
* Name
* Number of users provisioned by that client
* SCIM client creator
* The admin can generate additional tokens (create action)
* Administrators
**Translation considerations**
* _TODO: check existing keys_
**Out of scope**
* Choosing TTL of generated tokens
* Reminder emails to admins about expiring and/or expired tokens
* Identity of who generated or deleted tokens (for auditing)