Content
View differences
Updated by Jan Sandbrink 11 months ago
**As** an administrator
**I want to** have a UI to manage SCIM clients,
**so that** certain aspects of SCIM integration can be configured.
**Acceptance criteria**
* There is a UI to configure SCIM clients at `/admin/settings/authentication`
* Each SCIM client automatically creates an associated service account
* Per SCIM client we can configure:
* Name
* Authentication provider
* Select box with options (values come from the db), _eg. Keycloak, Nextcloud Hub_
* Authentication method. **It can be set during creation process only.**
* External:
* JWT from identity provider: 1 input ("Subject claim")
* Caption: _For example, for Keycloak, this is the UUID of the service account associated with the SCIM client. Check the documentation to how to find the subject claim for your use case._
* `scim_v2` scope is validated during SCIM Client authentication
* It should be communicated to admins that JWTs must contain the scope
* Caption: _Make sure that JWT used for SCIM client authentication contains_ `scim_v2` _scope._
* Internal, two options:
* OAuth 2.0 Client credentials:
* outputs client ID and secret in a popup once after creation.
* Static access token(Default option)
* outputs token in a popup once after creation
* all tokens are listed in a table on edit page
* token can be revoked
* it means that token is not usable anymore and marked as revoked in the token table
* tokens can be added
* For generated access tokens table has:
* Token generation date
* Expiry date
* Actions: revoke
* Configured SCIMs clients are visible in a borderBox list
* with columns:
* Name
* Number of users provisioned by that client
* SCIM client creator
* creation date
* When editing a SCIM client
* It shows an action: Delete
* [Danger warning](https://qa.openproject-edge.com/lookbook/inspect/primer/open_project/danger_dialog/default) (without double confirmation) with:
* Title: Are you sure you want to delete this SCIM client?
* Caption: Users managed by this SCIM client can no longer be updated by it.
* Actions:
* "Cancel" (secondary)
* "Delete" (danger)
* When revoking a token,
* [Danger warning](https://qa.openproject-edge.com/lookbook/inspect/primer/open_project/danger_dialog/default) (without double confirmation) with:
* Title: Are you sure you want to revoke this token?
* Caption: "SCIM client that uses this token will no longer be able to access OpenProject SCIM server API."
* Actions:
* "Cancel" (secondary)
* "Revoke" (danger)
**Permissions and visibility considerations**
* Administrators
**Translation considerations**
* _TODO: check existing keys_
**Out of scope**
* Choosing TTL of generated tokens
* Reminder emails to admins about expiring and/or expired tokens
* In static tokens table information about who created and revoked tokens
**QA Notes**
At the time of merging this feature there is no documentation on SCIM clients yet (and we can only create the documentation once we are certain that we will release SCIM clients as a whole in the upcoming version).
Long story short: The links to the documentation exist, but they do not lead to documentation pages at all. This is known and will be fixed as soon as the documentation is created.
**I want to** have a UI to manage SCIM clients,
**so that** certain aspects of SCIM integration can be configured.
**Acceptance criteria**
* There is a UI to configure SCIM clients at `/admin/settings/authentication`
* Each SCIM client automatically creates an associated service account
* Per SCIM client we can configure:
* Name
* Authentication provider
* Select box with options (values come from the db), _eg. Keycloak, Nextcloud Hub_
* Authentication method. **It can be set during creation process only.**
* External:
* JWT from identity provider: 1 input ("Subject claim")
* Caption: _For example, for Keycloak, this is the UUID of the service account associated with the SCIM client. Check the documentation to how to find the subject claim for your use case._
* `scim_v2` scope is validated during SCIM Client authentication
* It should be communicated to admins that JWTs must contain the scope
* Caption: _Make sure that JWT used for SCIM client authentication contains_ `scim_v2` _scope._
* Internal, two options:
* OAuth 2.0 Client credentials:
* outputs client ID and secret in a popup once after creation.
* Static access token(Default option)
* outputs token in a popup once after creation
* all tokens are listed in a table on edit page
* token can be revoked
* it means that token is not usable anymore and marked as revoked in the token table
* tokens can be added
* For generated access tokens table has:
* Token generation date
* Expiry date
* Actions: revoke
* Configured SCIMs clients are visible in a borderBox list
* with columns:
* Name
* Number of users provisioned by that client
* SCIM client creator
* creation date
* When editing a SCIM client
* It shows an action: Delete
* [Danger warning](https://qa.openproject-edge.com/lookbook/inspect/primer/open_project/danger_dialog/default) (without double confirmation) with:
* Title: Are you sure you want to delete this SCIM client?
* Caption: Users managed by this SCIM client can no longer be updated by it.
* Actions:
* "Cancel" (secondary)
* "Delete" (danger)
* When revoking a token,
* [Danger warning](https://qa.openproject-edge.com/lookbook/inspect/primer/open_project/danger_dialog/default) (without double confirmation) with:
* Title: Are you sure you want to revoke this token?
* Caption: "SCIM client that uses this token will no longer be able to access OpenProject SCIM server API."
* Actions:
* "Cancel" (secondary)
* "Revoke" (danger)
**Permissions and visibility considerations**
* Administrators
**Translation considerations**
* _TODO: check existing keys_
**Out of scope**
* Choosing TTL of generated tokens
* Reminder emails to admins about expiring and/or expired tokens
* In static tokens table information about who created and revoked tokens
**QA Notes**
At the time of merging this feature there is no documentation on SCIM clients yet (and we can only create the documentation once we are certain that we will release SCIM clients as a whole in the upcoming version).
Long story short: The links to the documentation exist, but they do not lead to documentation pages at all. This is known and will be fixed as soon as the documentation is created.