8000 Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field · Issue #166 · awslabs/ssosync · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ChrisPates opened this issue Jan 16, 2024 · 2 comments
Open

Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field #166

ChrisPates opened this issue Jan 16, 2024 · 2 comments
Assignees
@ChrisPates
Labels
enhancement New feature or request
Milestone
v2.3

Comments

@ChrisPates
Copy link
Contributor
ChrisPates commented Jan 16, 2024
edited
Loading

Is your feature request related to a problem? Please describe.
To enable, other improvements the creation/update/delete of users and groups needs to be consistently carried out via the SCIM api endpoints and not mixed with the Identity Store API. This will allow sync entities to be differentiated from manually created users. The only partial exception would be where a manually created entity matches an entity to be synced, in which case it would be updated via the SCIM apis and switch from being a manually created entity to a synced one.

Dependancies
#141
#142

### Tasks
- [ ] Read Users.Id & Groups.Id strings from google.golang.org/api/admin/directory/v1
- [ ] createUsers & createGroups, populate externalId field with .Id string via SCIM
- [ ] Prefer match. based on id and externalId, then fallback to email/name match
- [ ] detect users/groups that match (email/name) in the Identity Store and update with the externalId
- [ ] deletion handling - If Users/Groups with an externalId but it no longer matches an Id in google, but the email/name matches then update with new id, if no match then make for deletion.
@ChrisPates ChrisPates added this to the v2.2 milestone Jan 16, 2024
@ChrisPates ChrisPates self-assigned this Jan 16, 2024
@ChrisPates ChrisPates modified the milestones: v2.2, v2.3 Mar 21, 2024
@ChrisPates ChrisPates changed the title Ensure all groups/user creates in IAM Identity Store are via SCIM api Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field Mar 21, 2024
@ChrisPates ChrisPates mentioned this issue Mar 21, 2024
Open
@ChrisPates ChrisPates added the enhancement New feature or request label Mar 21, 2024
@ChrisPates ChrisPates mentioned this issue Mar 21, 2024
Closed
@philomory
Copy link

Would having this implemented also avoid situations where the change of a group's "Display Name" in Google Workspace causes ssosync to delete its existing representation of that group and create a new group with the new name? I'm hoping the availability of externalId would prevent that?

@ChrisPates
Copy link
Contributor Author

Yes, it would. Sadly the current code does not make use of the external id field and relies on the display name for groups and email address for users.

@ChrisPates ChrisPates mentioned this issue Apr 25, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChrisPates ChrisPates

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.3
Development

When branches are created from issues, their pull requests are automatically linked.

166-ensure-all-groupsuser-creates-in-iam-identity-store-are-via-scim-api-and-populate-externalid-field awslabs/ssosync
2 participants
@philomory @ChrisPates
0