Organization creation from groups
KornKalle opened this issue · 2 comments
I am wondering if it would be possible to implement a way to auto-create organizations from groups via OIDC.
Ultimatively it would be very nice to have to ability for a complete "auto-enroll" flow in combination with #48 or even auto-confirmation. So a user who got access to the respective groups in our IDP just would need to set a Master password and would automatically get access to alle the Orgs he should be part of.
Of course, there is like always the question about group deprovisioning, so I guess it should be checked on every login if the user still belongs to the respective groups.
Hey,
As I mentionned in the PR, I think you should have a look at the directory connector.
For the subject of creating Orgs the issue is that the org keys are created by the front-end while the admin account is logged. So even if it was possible to replicate this would add too much complexity for a feature which is not even part of the main PR.
I am wondering if it would be possible to implement a way to auto-create organizations from groups via OIDC.
Ultimatively it would be very nice to have to ability for a complete "auto-enroll" flow in combination with #48 or even auto-confirmation. So a user who got access to the respective groups in our IDP just would need to set a Master password and would automatically get access to alle the Orgs he should be part of.
Of course, there is like always the question about group deprovisioning, so I guess it should be checked on every login if the user still belongs to the respective groups.
You could probably also restrict the login with your SSO provider. With Azure, what I'm using, you can restrict the access to an app regsitration to members of this app, for example all members of a group which is assigned to the app registration. You would also need to enforce SSO login every time, which I can't do right now because with the Desktop Client SSO is not working in my enviroment, but I still can control the registration over SSO because my configuration only allows a signup via SSO