Content
View differences
Updated by Oliver Günther over 1 year ago
**As** an OpenProject admin
**I want** users' groups to be synchronized on login
**so that** I can control their group memberships in my identity provider, especially when self-registering is desirable. provider.
<br>
**Acceptance criteria**
* allow requesting group claims (cf. [OpenID Connect claims in OpenProject](https://www.openproject.org/docs/installation-and-operations/misc/custom-openid-connect-providers/#claims), [configuring group claims in okta](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#request-a-token-that-contains-the-custom-claim))
* evaluate group claims on login
* synchronize groups between OpenProject and IdP (identity provider) in some way (e.g. simple name-based matching)
* assign user to groups passed in groups claim
* note: in the case of MS Entra ID (formerly Azure AD) the number of groups in the group claim [is apparently limited to 150](https://docs.gitlab.com/ee/user/group/saml_sso/group_sync.html#microsoft-azure-active-directory-integration))
**I want** users' groups to be synchronized on login
**so that** I can control their group memberships in my identity provider, especially when self-registering is desirable.
<br>
**Acceptance criteria**
* allow requesting group claims (cf. [OpenID Connect claims in OpenProject](https://www.openproject.org/docs/installation-and-operations/misc/custom-openid-connect-providers/#claims), [configuring group claims in okta](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#request-a-token-that-contains-the-custom-claim))