Content
View differences
Updated by Parimal Satyal about 1 year ago
**As** an administrator
**I want to** have a UI to manage SCIM clients,
**so that** certain aspects of SCIM integration can be configured.
**Acceptance criteria**
* There is a UI to configure SCIM clients at `/admin/settings/authentication`
* _Note parimal: border box approach + blankslate_
* Each SCIM client automatically creates an associated service account
* `scim_v2` scope is validated during SCIM Client authentication
* It should be communicated to admins that JWTs must contain the scope, for instance
* Per SCIM client we can configure:
* Name
* Authentication Associated OIDC provider
* Select box with options (values come the db), _eg. Keycloak, Nextcloud Hub_
* Authentication method
* External:
SSO, requires ID of client in JWTs
* SSO: 1 input ("Subject claim")
* Caption: _For example, for Keycloak, this is the UUID of the service account associated OAuth2, provides user with the SCIM client. Check the documentation to how to find the subject claim for your use case._
* Internal, two optiond
* OAuth2:
* outputs client ID and secret _(regular style comparable to storages)_
* Static access token
* outputs token ID
* info: expires in 1 year, can be renewed
* Configured SCIMs clients are visible in a borderBox list, with actions:
* Delete (Danger dialog, _come up with text_)
* Edit
* Edit page is like create page
* For generated access tokens, there's a list of available ones with two info:
* Token generation date
* Expiry date
* Actions: delete
* Note: the context of the token (so the actual token value itself) cannot be shown, it's a one-time thing
* The admin can generate additional tokens (create action)
token, requires expiration
**Permissions and visibility considerations**
* Administrators
**Translation considerations**
* _TODO: check existing keys_
**Out of scope**
* Choosing TTL of generated tokens
* Reminder emails to admins about expiring and/or expired tokens
* Identity of who generated or deleted tokens (for auditing) _TODO_
**I want to** have a UI to manage SCIM clients,
**so that** certain aspects of SCIM integration can be configured.
**Acceptance criteria**
* There is a UI to configure SCIM clients at `/admin/settings/authentication`
* Each SCIM client automatically creates an associated service account
* `scim_v2` scope is validated during SCIM Client authentication
* It should be communicated to admins that JWTs must contain the scope, for instance
* Per SCIM client we can configure:
* Name
* Authentication
* Authentication method
* External:
* Caption: _For example, for Keycloak, this is the UUID of the service account associated
* Internal, two optiond
* OAuth2:
* outputs client ID and secret _(regular style comparable to storages)_
* outputs token ID
* info: expires in 1 year, can be renewed
* Configured SCIMs clients are visible in a borderBox list, with actions:
* Delete (Danger dialog, _come up with text_)
* Edit
* Edit page is like create page
* For generated access tokens, there's a list of available ones with two info:
* Token generation date
* Expiry date
* Actions: delete
* Note: the context of the token (so the actual token value itself) cannot be shown, it's a one-time thing
* The admin can generate additional tokens (create action)
* Administrators
**Translation considerations**
* _TODO: check existing keys_
**Out of scope**
* Choosing TTL of generated tokens
* Reminder emails to admins about expiring and/or expired tokens
* Identity of who generated or deleted tokens (for auditing)