IdP-Scoped SAML Group Synchronization
Overview
Enhance the SAML Group Synchronization mechanism to use both Identity Provider (IdP) identifier and group name as the composite matching key for group membership synchronization. This change will prevent unintended cross-IdP group membership and provide better access control isolation between partner organizations sharing an instance.
Background
Currently, SAML Group Sync matches users to groups based solely on the group name across all configured IdPs. In multi-IdP environments where different organizations control separate IdPs, this creates a security risk where group name collisions (accidental or intentional) could lead to unauthorized access to sensitive projects and data spillage between partners.
Goals
- Prevent unauthorized access through group name collisions across IdPs
- Maintain existing group sync functionality within individual IdPs
- Provide clear isolation between partner organizations' group management
- Enable organizations to safely restrict access to their sensitive projects
- Minimize migration impact on existing installations
Proposal
Use both Identity Provider (IdP) identifier and group name as the composite matching key for group membership synchronization. This will be optional and not impact existing group links.