Implement PUT in order to be able to update idp

Question

Implement PUT in order to be able to update idp

orandev opened this issue 5 years ago · 6 comments

Hello,
We have the following situation:

We want to configure idp1 on our Team and create some SCIM users (production platform).
In a few months, we want to switch Team to idp2 (different URL), but we cannot afford to delete all the existing users and make them lose all their chats and content.

I see in Spar API.hs that you wrote "if you want to update (one of) your team's idp(s), either use put (not implemented)".

Could you please implement this PUT method? So that we can replace metadata / issuer url of idp1 in spar tables without modifying the idp ID and without making the users orphan / deleting the users / deleting existing scim tokens.

Edit: I've just found that you are already looking into this feature (PR1026)

Answer 1 · 2020-04-11T20:03:41.000Z

Yes, this is work in progress. Good to know that you are waiting for this!

We were planning to now allow changing the issuer idp, though. We haven't given this much thought yet; the motivation was that it is more expensive to change all user records in all the places where data about their IdP identity (including the issuer) is stored.

But I can see now that this is a legitimate use case. Do you know of any work-around for you that would keep the issuer identical between idp1 and idp2? (Whatever your answer, we will give this a little more thought. Thanks for the input!)

Answer 2 · 2020-04-12T10:35:16.000Z

No, I don't think we will be able to keep the issuer identical, the two idps won't be based on the same technology/product.
We do not mind if the operation is expensive, it's something that we (or admins in other companies) are going to use very rarely I think. And for us, we can do this operation during off-business hours and interrupt the service while the operation is running.

Answer 3 · 2020-04-23T14:47:12.000Z

With this release, there is a way to apply the changes on the servers using curl. Documentation on how to do this, and ultimately UI support of this feature in team settings, are still in the works.

Answer 4 · 2020-06-08T15:45:21.000Z

Hello,
Our idp renews its signing certificate every year. The certificate is inside its metadata xml file.
Can we use what you have developed to update only the metadata of an existing idp (its URL does not change), every year?

Answer 5 · 2020-06-08T20:45:18.000Z

Yes, this is exactly the use case we're supporting now. That is option 1 here: https://github.com/wireapp/wire-server/blob/869c7ac59ae62b6cee35aabe7f44ed8c031c946d/docs/reference/spar-braindump.md#option-1-update-the-existing-idp-in-place

It currently has no support in team-settings yet, but you can do it with curl.

Answer 6 · 2020-07-01T11:18:56.000Z

Backend part is done; team-settings part is tracked here.