Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

[RBAC] Validate Permissions Assignment to User Groups from IDP

Description

User Story:

As an admin,
I want to assign RBAC policies to user groups fetched from the external IDP,
So that I can simplify permissions management for external users without relying on unique "sub" IDs.

Context:

Currently, our RBAC implementation validates permissions based on the user's "sub" claim, which presents challenges for external IDPs like Microsoft Entra, where the "sub" ID is randomly generated and not visible in the dashboard.
To address this, we are introducing support for group-based RBAC. Our application will request the "groups" scope when interacting with IDPs. If the "groups" claim is returned in the ID token, everest will validate permissions based on the groups the user belongs to.

A user will be authorized to perform an operation if the user's subject or any of the groups they belong to have the required permission.

Acceptance Criteria:

  1. IDP Integration:

    • Everest UI requests the "groups" scope when authenticating users via OIDC.

    • The "groups" claim is successfully fetched from the ID token if supported by the IDP.

  2. RBAC Evaluation:

    • Permissions are validated against the user's "sub" ID and the "groups" claim.

    • A user is authorized if either their "sub" ID or any group they belong to has the required permission.

Design (Figma link):

Tech Documentation:

Limitations:

Activity

Show:

Yusaf Awan February 5, 2025 at 9:39 AM

Tested and verified on 1.10000.0-rc20250203110712 FB.
While configuring an IPD, If the scope of IDP contains groups (ex:--scopes openid,profile,email,groups) , and the IPD OKTA did not had groups scope set up in their settings, the SSO will not go through. The endpoint will give an error saying that IPD does not have any groups scope.

Diogo Recharte January 29, 2025 at 1:41 PM

as discussed on the call, we added an option to configure the scopes that Everest requests from the IdP to avoid breaking existing setups with IdPs that are not configured with the groups scope. Therefore, the requested scopes shall be retested and we should validate if the JWT has the groups info when the groups scope is set.

Oksana Grishchenko January 13, 2025 at 10:26 AM

Hi ! To use groups from IdP, user would need to configure the groups claim in IdP, so we would need to update our docs and include some information about how to do this configuration. I configured groups in Okta, the process is described in notion, please check and let me know if you have any questions or need any help.

Unresolved

Details

Assignee

Reporter

Fix versions

Priority

Smart Checklist

Created January 2, 2025 at 8:54 AM
Updated March 5, 2025 at 11:24 AM