SAML/SCIM Identity implementation decision
This issue is a result of a conversation with @jamedjo, @xlgmokha and me.
Currently, for Group SAML and SCIM, a single SAML identity is used. If an organization uses SAML and SCIM together, it's expected that both use the same ID, which is saved in the extern_uid
field of the SAML identity. Similarly, if an organization uses SCIM only, a SAML identity is still created and used for SCIM purposes.
Going forward we discussed it may be beneficial to separate the two identities and allow each to have explicit identities with unique extern_uid
. The extern_uid
might be the same in cases where the organization uses SAML and SCIM, but it doesn't need to be the same.
Questions:
- When a user is deprovisioned via SCIM, what do we do? Right now we just delete the SAML identity. Do we delete both? Do we keep the SCIM one and delete the SAML one?
- How do we migrate existing SCIM users to their own identity? It would be difficult to distinguish between existing identities and which they are being used for. We could potentially look at whether a Group SAML identity exists and whether the SCIM token is generated, and create an identical SCIM identity in that case. What side-effects might that have?
- For what reasons might we not want to split these identities? Is this optimization premature?
- Will this enable us to combine SCIM with other identity providers in the future (OAuth, LDAP, etc)? Are we precluded from doing so by having combined SAML/SCIM identities?