Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GIP] Gateway: method for reconciliation between an external ID provider and the geOrchestra LDAP #9

Open
pierrejego opened this issue Jul 12, 2024 · 4 comments
Open

[GIP] Gateway: method for reconciliation between an external ID provider and the geOrchestra LDAP #9

pierrejego opened this issue Jul 12, 2024 · 4 comments
Assignees
@pierrejego
Labels
1 - Pending The author is working on the GIP proposal GIP

Comments

@pierrejego
Copy link
Member

pierrejego commented Jul 12, 2024
edited by Gaetanbrl
Loading

Who ?

JDev - pi-GeoSolutions - CampToCamp

Target Module

Gateway

What ?

The aim is to adapt the geOrchestra gateway to be able to use an identity provider (such as ProConnect) to connect to geOrchestra.

In concrete terms, georchestra will be compatible with OpenIDConnect (OAuth2) authentication.

Most of this work has already be done and with FranceConnect provider integration.

Why ?

To let people access to connected features easily without creating a new user on several platforms.
To be able to use many OAuth2/OpenIDConnect provider.

What will change ?

Some modifications are required but should be optional ( chosen in configuration files ) :

  • Automatic integration of new Organization (e.g SIRET is organization UUID for ProConnect provider)
  • Mapping user organisation if user already exists ( e.g Unique ID is the professional mail address for ProConnect provider )
  • Account creation if no existing user with this mail

How ?

Implementation to be done in :

Configuration modification should be updated in datadir and ansible project

Any potential pitfalls and ways to circumvent them ?

How to update/not update User information ?

  • If information differs between provider and current user, what should be done ?
  • How to make sure several Organization won't be created with nearly the same name ?
  • When creating a new user, if no account exist, should we create him a password to connect without the provider ?
  • Should this "new" user be integrated via pending user or not ?
  • Which field returned by the supplier is to be used to map with geOrchestra organization ?

About the last request and ProConnect example, should we use SIREN, SIRET or organizational_unit to map with geOrchestra organization ? ( SIRET is the only mandatory field ).

Note that There are not possible mapping for geOrchestra GROUPS since no ROLE/PROFIL/GROUP are available in many provider (such as ProConnect).

About ProConnect

Note that for this work, we will only use ProConnect (OAuth2 - OpenID) provider.
FranceConnect provider should also works without any regression.

List of data that will come with this provider can be found here :

Documentation on Agent Connect integration can be found here :

When ?

Before December 2024

State of the vote:

PSC members vote
Fabrice Phung
François Van Der Biest
Pierre Mauduit
Landry Breuil
Stéphane Mével-Viannay
Maël Reboux
Pierre Jégo
Jean Pommier
Catherine Piton-Morales
@pierrejego pierrejego added GIP 1 - Pending The author is working on the GIP proposal labels Jul 12, 2024
@pierrejego pierrejego self-assigned this Jul 12, 2024
@Gaetanbrl Gaetanbrl changed the title [GIP] Add agent connect provider - DRAFT [GIP] Add agent connect provider Dec 16, 2024
@MaelREBOUX MaelREBOUX changed the title [GIP] Add agent connect provider [GIP] Add agent connect provider in the gateway Dec 16, 2024
@jeanpommier
Copy link
Member

Some notes I took during the meeting on September 30th: meeting notes

@Gaetanbrl
Copy link

additional notes:

@MaelREBOUX ask this day if a schema exists to describe use cases and geOrchestra's behavior (between gateway / console / ...).

@landryb share some use cases from @bchartier works :

https://github.com/bchartier/cicclo-ogcapi-agentconnect/wiki/Cas-d%27usage#cas-dusage-pour-proconnect

This was referenced Dec 18, 2024
Open
Open
Open
Open
Open
Open
Open
@Gaetanbrl Gaetanbrl changed the title [GIP] Add agent connect provider in the gateway [GIP] ProConnect provider in the gateway Dec 24, 2024
@Gaetanbrl Gaetanbrl mentioned this issue Dec 24, 2024
Open
@Gaetanbrl Gaetanbrl mentioned this issue Jan 8, 2025
Open
4 tasks
@MaelREBOUX MaelREBOUX changed the title [GIP] ProConnect provider in the gateway [GIP] Gateway: method for reconciliation between an external ID provider and the geOrchestra LDAP Jan 9, 2025
@fphg
Copy link
Member

fphg commented Jan 9, 2025
edited
Loading

hello, thanks for the GIP

since georchestra is "free, modular, interoperable, community driven", we shall ensure that georchestra is not fr only. problem, *connect is fr only, letting the reader think that this GIP breaks international compatibility.

in fact, this GIP deals with external openid id providers and reconciliation with georchestra's own directory. *Connect integration shall only be a consequence and a first achievement of this GIP.

could you refactor the GIP's goal and focus on openid and reconciliation ?

this morning the PSC changed the title to match these expectations, but of course feel free to provide a better title !

@Gaetanbrl
Copy link

@fphg I've modified the text. Please, confirm that this is what you have in mind.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pierrejego pierrejego

Labels
1 - Pending The author is working on the GIP proposal GIP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fphg @jeanpommier @pierrejego @Gaetanbrl