You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Roles can be mapped to oidc users based on claims. While the rules allow setting arbitrary claims, the oidc implementation only allows a fixed set. I would have used the Groups claim but Auth0 restricts setting that claim. Digging into the code I found that backend_impl.go limits my choices to name, email, sub, groups, account_id and, as a boolean, is_org_admin. And, while the ACS documentation notes that sub is mapped to userid, it makes no mention that account_id is mapped to orgid. I was able to meet my need by creating an account_id claim and a rule matching value stored in orgid to a role, but that was not at all obvious.
The best case may be fully supporting custom claims within the oidc provider. If not, then restricting rules to allowed claims would be helpful, and if not that, then please document the limitations.
The text was updated successfully, but these errors were encountered:
The way the ACS OIDC provider works is that it takes claims token from the underlying IdP and adds them to ACS-issued token.
By default, only the aforementioned claims(name, email, sub, groups) are added. However, there is an ability to add custom claim mappings which will transform IdP token claim to an ACS-issued token claim. You can find documentation here: doc
There are two ways to add these claim mappings to auth provider:
By using auth provider API
Starting with 4.1, you could leverage declarative config functionality that will allow you to create auth resources via k8s ConfigMap/Secret.
At the moment you can't add claim mappings via auth provider UI, however, it is on our roadmap.
Roles can be mapped to oidc users based on claims. While the rules allow setting arbitrary claims, the oidc implementation only allows a fixed set. I would have used the Groups claim but Auth0 restricts setting that claim. Digging into the code I found that backend_impl.go limits my choices to name, email, sub, groups, account_id and, as a boolean, is_org_admin. And, while the ACS documentation notes that sub is mapped to userid, it makes no mention that account_id is mapped to orgid. I was able to meet my need by creating an account_id claim and a rule matching value stored in orgid to a role, but that was not at all obvious.
The best case may be fully supporting custom claims within the oidc provider. If not, then restricting rules to allowed claims would be helpful, and if not that, then please document the limitations.
The text was updated successfully, but these errors were encountered: