Content
View differences
Updated by Pavel Balashou about 1 year ago
**As** an administrator
**I want to** have a UI to manage SCIM clients,
**so that** certain aspects of SCIM integration can be configured.
**Acceptance criteria**
* There is a UI to configure SCIM clients at `/admin/settings/authentication`
* Each SCIM client automatically creates an associated service account
* Per SCIM client we can configure:
* Name
* Authentication provider
* Select box with options (values come from the db), _eg. Keycloak, Nextcloud Hub_
* Authentication method. **It can be set during creation process only.**
* External:
* SSO: 1 input ("Subject claim")
* Caption: _For example, for Keycloak, this is the UUID of the service account associated with the SCIM client. Check the documentation to how to find the subject claim for your use case._
* `scim_v2` scope is validated during SCIM Client authentication
* It should be communicated to admins that JWTs must contain the scope
* Caption: _Make sure that JWT used for SCIM client authentication contains_ `scim_v2` _scope._
* Internal, two options:
* OAuth2:
* outputs client ID and secret in a popup once after creation.
* Static access token(Default option)
* outputs token in a popup once after creation
* all tokens are listed in a table on edit page
* token can be revoked
* it means that token is not usable anymore and marked as revoked in the token table
* tokens can be added
* For generated access tokens table has:
* Token generation date
* Expiry date
* Actions: revoke
* Configured SCIMs clients are visible in a borderBox list
* with actions:
* Delete
* [Danger warning](https://qa.openproject-edge.com/lookbook/inspect/primer/open_project/danger_dialog/default) (without double confirmation) with:
* Title: Are you sure you want to delete this SCIM client?
* Caption: Users managed by this SCIM client can no longer be updated by it.
* Actions:
* "Cancel" (secondary)
* "Delete" (danger)
* Edit
* with columns:
* Name
* Number of users provisioned by that client
* SCIM client creator
* creation date
* When revoking a token,
* [Danger warning](https://qa.openproject-edge.com/lookbook/inspect/primer/open_project/danger_dialog/default) (without double confirmation) with:
* Title: Are you sure you want to revoke this token?
* Caption: "SCIM client that uses "Users managed by this token SCIM client..." (<mention class="mention" data-id="78616" data-type="user" data-text="@Pavel Balashou">@Pavel Balashou</mention> will no longer be able to access OpenProject SCIM server API." come up with the copy)
* Actions:
* "Cancel" (secondary)
* "Revoke" (danger)
**Permissions and visibility considerations**
* Administrators
**Translation considerations**
* _TODO: check existing keys_
**Out of scope**
* Choosing TTL of generated tokens
* Reminder emails to admins about expiring and/or expired tokens
* In static tokens table information about who created and revoked tokens
**I want to** have a UI to manage SCIM clients,
**so that** certain aspects of SCIM integration can be configured.
**Acceptance criteria**
* There is a UI to configure SCIM clients at `/admin/settings/authentication`
* Each SCIM client automatically creates an associated service account
* Per SCIM client we can configure:
* Name
* Authentication provider
* Select box with options (values come from the db), _eg. Keycloak, Nextcloud Hub_
* Authentication method. **It can be set during creation process only.**
* External:
* SSO: 1 input ("Subject claim")
* Caption: _For example, for Keycloak, this is the UUID of the service account associated with the SCIM client. Check the documentation to how to find the subject claim for your use case._
* `scim_v2` scope is validated during SCIM Client authentication
* It should be communicated to admins that JWTs must contain the scope
* Caption: _Make sure that JWT used for SCIM client authentication contains_ `scim_v2` _scope._
* Internal, two options:
* OAuth2:
* outputs client ID and secret in a popup once after creation.
* Static access token(Default option)
* outputs token in a popup once after creation
* all tokens are listed in a table on edit page
* token can be revoked
* it means that token is not usable anymore and marked as revoked in the token table
* tokens can be added
* For generated access tokens table has:
* Token generation date
* Expiry date
* Actions: revoke
* Configured SCIMs clients are visible in a borderBox list
* with actions:
* Delete
* [Danger warning](https://qa.openproject-edge.com/lookbook/inspect/primer/open_project/danger_dialog/default) (without double confirmation) with:
* Title: Are you sure you want to delete this SCIM client?
* Caption: Users managed by this SCIM client can no longer be updated by it.
* Actions:
* "Cancel" (secondary)
* "Delete" (danger)
* Edit
* with columns:
* Name
* Number of users provisioned by that client
* SCIM client creator
* creation date
* When revoking a token,
* [Danger warning](https://qa.openproject-edge.com/lookbook/inspect/primer/open_project/danger_dialog/default) (without double confirmation) with:
* Title: Are you sure you want to revoke this token?
* Caption: "SCIM client that uses
* Actions:
* "Cancel" (secondary)
* "Revoke" (danger)
**Permissions and visibility considerations**
* Administrators
**Translation considerations**
* _TODO: check existing keys_
**Out of scope**
* Choosing TTL of generated tokens
* Reminder emails to admins about expiring and/or expired tokens
* In static tokens table information about who created and revoked tokens