Monday, 2022-10-31

*** prometheanfire is now known as Guest006:40
*** osmanlicilegi is now known as Guest306:40
MuranWhen using an external identity provider over OIDC, a domain is automatically created and each user that identifies via the IDP will be created in that domain. Is there no way to override this functionality? For instance letting the IDP decide what domain the user should exist in. I've found no way of being able to map domain id into the user object in a way that the user gets created in the supplied domain id.08:09
*** dviroel|out is now known as dviroel|rover11:20
*** dasm|off is now known as dasm13:36
*** Guest0 is now known as prometheanfire14:18
knikollaMuran: hi, currently there isn't a way to specify the domain of a user via the mapping. There is a proposal to introduce such a feature but the spec and patch haven't landed yet. 14:29
Muranknikolla: Ok thanks a lot for the info. Do you happen to have a link to the proposal, if there is one?14:40
knikollaMuran: https://review.opendev.org/c/openstack/keystone-specs/+/74804214:41
knikollathough the spec needs to be reworked to drop the schema versioning introduction, and instead create a new attribute rather than reusing an existing one. 14:42
Muranknikolla: Thanks, much appreciated14:42
MuranFollow up question on similar topic: Is it possible to map a list of projects received from IDP to keystone projects. For instance, receive a "member_project_ids" array containing all project ids the user should have access to and map that into keystone? 14:48
Muran"Have access to" in this case should be read as "have member role in"14:52
*** dviroel|rover is now known as dviroel|rover|lunch15:38
*** dviroel|rover|lunch is now known as dviroel|rover16:46
knikollaMuran: it is not yet possible, though there is a proposal for it. https://review.opendev.org/c/openstack/keystone-specs/+/74874816:48
Muranknikolla: Thanks19:14
*** dviroel|rover is now known as dviroel|rover|brb21:11
*** dasm is now known as dasm|off22:56
*** dviroel|rover|brb is now known as dviroel|rover22:58
*** dviroel|rover is now known as dviroel|rover|dinner23:17

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!