N°7807 - Add support for organization selection during autoprovisioning

[tbredzin]

Base information

Question	Answer
Related to a SourceForge thead / Another PR / Combodo ticket?	R-039740
Type of change?	Enhancement

Symptom (bug) / Objective (enhancement)

We are using iTop and the combodo-hybridauth module and we are especially interested in using the "just-in-time" user provisioning capability (implemented in the DoUserProvisioning() function).

Unfortunately, we are laking the ability to dispatch the auto-provisioned users to differents organizations as the current implementation is limited to creating all the users in a single "default" organization.

Proposed solution (bug and enhancement)

The following proposed enhancement aims to automatically set the organization during the user provisioning by looking for the presence of an organization in the returned UserProfile#data[] field. If the field is missing, the default organization is selected.

This change is linked with PR #1410 currently opened in the hybridauth/hybridauth library.

Checklist before requesting a review

• I have performed a self-review of my code
• I have tested all changes I made on an iTop instance
• Would a unit test be relevant and have I added it? => Unable to run the unit tests from this repo alone.
• Is the PR clear and detailed enough so anyone can understand digging in the code?

[Hipska]

FYI, the link to the referenced PR: hybridauth/hybridauth#1410

[jf-cbd]

Thanks for the PR. Seems interesting, we're waiting for Hybridauth's PR approval to add some tests.

[jf-cbd]

Great, the related PR has been accepted on the Hybridauth side 🎉

[odain-cbd]

Dear Thomas,

First thank you for current contribution. We intend to integrate it in the next release 3.2.1.

Could you pls tell us how to configure Keycloak to send properly the organization via Openid? I tried but the answer from my local Keycloak contained a weard organization value:

2024-12-03 14:25:46 | Info    |       | OpenID UserProfile returned by service provider | Hybridauth |||
array (
  'oUserProfile' => 
  \Hybridauth\User\Profile::__set_state(array(
     'identifier' => 'ad23cbe4-5e7b-43ac-b2e6-c581afaae418',
     'webSiteURL' => NULL,
     'profileURL' => NULL,
     'photoURL' => NULL,
     'displayName' => 'odain',
     'description' => NULL,
     'firstName' => 'a',
     'lastName' => 'b',
     'gender' => NULL,
     'language' => NULL,
     'age' => NULL,
     'birthDay' => NULL,
     'birthMonth' => NULL,
     'birthYear' => NULL,
     'email' => '[email protected]',
     'emailVerified' => false,
     'phone' => NULL,
     'address' => NULL,
     'country' => NULL,
     'region' => NULL,
     'city' => NULL,
     'zip' => NULL,
     'data' => 
    array (
      'organization' => 0,
    ),
  )),
)

BR
Olivier

[odain-cbd]

If you are ok I will provide the tests on top of current feature and I will merge it in master.

[tbredzin]

Dear Thomas,

First thank you for current contribution. We intend to integrate it in the next release 3.2.1.

Could you pls tell us how to configure Keycloak to send properly the organization via Openid? I tried but the answer from my local Keycloak contained a weard organization value:

2024-12-03 14:25:46 | Info    |       | OpenID UserProfile returned by service provider | Hybridauth |||
array (
  'oUserProfile' => 
  \Hybridauth\User\Profile::__set_state(array(
     'identifier' => 'ad23cbe4-5e7b-43ac-b2e6-c581afaae418',
     'webSiteURL' => NULL,
     'profileURL' => NULL,
     'photoURL' => NULL,
     'displayName' => 'odain',
     'description' => NULL,
     'firstName' => 'a',
     'lastName' => 'b',
     'gender' => NULL,
     'language' => NULL,
     'age' => NULL,
     'birthDay' => NULL,
     'birthMonth' => NULL,
     'birthYear' => NULL,
     'email' => '[email protected]',
     'emailVerified' => false,
     'phone' => NULL,
     'address' => NULL,
     'country' => NULL,
     'region' => NULL,
     'city' => NULL,
     'zip' => NULL,
     'data' => 
    array (
      'organization' => 0,
    ),
  )),
)

BR Olivier

Hello Olivier,

By default, the organization claim is optional (meaning if not requested, it won't be sent back).
In order to find it in the access token, you can change in the OIDC Keycloak Client, in the client scopes, the assigned type of the organization claim from Optional to Default.