Public bug reported: I'm using AzureAD and keystone oidc mapping remote users into local groups does not work as expected. I'm using the auto generated domain for ephemeral cloud users, a remote attribute of OIDC_DEPARTMENT is used for mapping federated users to local groups, the groups and projects have been created in the default domain, users should inherit the roles of their mapped group or in other words "group based role based access".
my expectation when following the docs for oidc or openid or mapped is that users inherit roles of their mapped groups how to reproduce 1 - create idp 2 - create protocol 3 - create mapping 4 - create project 5 - create group 6 - assign group to project 7 - assign roles to group in project WEB SSO is working and a certain amount of the mapping seems to be working, for example if I grant group access to a project, the federated user will be granted access to the project in horizon - but they won't inherit the roles of that group, i.e. they will not become group members in Horizon >> Identity >> Users (Select a federated User) >> Groups (no groups) In Horizon >> Identity >> Groups >> Members (no members) Is this intended? The federated users domain id is the auto generated federation domain, but I am mapping them into Default domain / project / group here is the mapping from oidc group to openstack group { "rules": [ { "local": [ { "group": { "domain": { "name": "Default" }, "name": "itdept" }, "user": { "name": "{0}", "email": "{1}" } } ], "remote": [ { "type": "HTTP_OIDC_EMAIL" }, { "type": "HTTP_OIDC_EMAIL" }, { "type": "HTTP_OIDC_DEPARTMENT", "any_one_of": [ "7050", "7051" ] } ] } There is nothing in the mapping regarding projects as I would not like to use such a mechanism for simple access to projects, but if I assign the local group to another project then I *can* switch to that project in horizon - but, I do not have the roles of the group, I have the member role only - I'm guessing because this is bestowed by default or by horizon. So in summary Configured a working SSO - users not being added to groups, seems to be ephemeral - Users do inherit groups projects, so project enrolment works as expected - User do not inherit groups roles on projects ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1855869 Title: federation role mapping does not add users to groups Status in OpenStack Identity (keystone): New Bug description: I'm using AzureAD and keystone oidc mapping remote users into local groups does not work as expected. I'm using the auto generated domain for ephemeral cloud users, a remote attribute of OIDC_DEPARTMENT is used for mapping federated users to local groups, the groups and projects have been created in the default domain, users should inherit the roles of their mapped group or in other words "group based role based access". my expectation when following the docs for oidc or openid or mapped is that users inherit roles of their mapped groups how to reproduce 1 - create idp 2 - create protocol 3 - create mapping 4 - create project 5 - create group 6 - assign group to project 7 - assign roles to group in project WEB SSO is working and a certain amount of the mapping seems to be working, for example if I grant group access to a project, the federated user will be granted access to the project in horizon - but they won't inherit the roles of that group, i.e. they will not become group members in Horizon >> Identity >> Users (Select a federated User) >> Groups (no groups) In Horizon >> Identity >> Groups >> Members (no members) Is this intended? The federated users domain id is the auto generated federation domain, but I am mapping them into Default domain / project / group here is the mapping from oidc group to openstack group { "rules": [ { "local": [ { "group": { "domain": { "name": "Default" }, "name": "itdept" }, "user": { "name": "{0}", "email": "{1}" } } ], "remote": [ { "type": "HTTP_OIDC_EMAIL" }, { "type": "HTTP_OIDC_EMAIL" }, { "type": "HTTP_OIDC_DEPARTMENT", "any_one_of": [ "7050", "7051" ] } ] } There is nothing in the mapping regarding projects as I would not like to use such a mechanism for simple access to projects, but if I assign the local group to another project then I *can* switch to that project in horizon - but, I do not have the roles of the group, I have the member role only - I'm guessing because this is bestowed by default or by horizon. So in summary Configured a working SSO - users not being added to groups, seems to be ephemeral - Users do inherit groups projects, so project enrolment works as expected - User do not inherit groups roles on projects To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1855869/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp