Feature/sso group mapping #52
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
January 26, 2026 23:39
Implements configurable mapping of external SSO provider groups (Entra, Keycloak)
to internal CIDX groups (admins, powerusers, users) during JIT user provisioning.
Key Features:
- Parse groups from ID token instead of userinfo endpoint
- Support list-based group mapping format with optional display names
- First-match strategy with graceful fallback to "users" group
- Backward compatibility with old dict format (auto-migrated)
- Fixed group_manager injection bug during OIDC config reload
- Removed insecure ID token logging
Configuration Format:
[
{
"external_group_id": "guid-or-name", // Required: matches token
"external_group_name": "Display Name", // Optional: for docs/UI
"cidx_group": "admins" // Required: target group
}
]
Behavior:
- Mapping matches + group exists → assign to mapped group
- Mapping matches + group missing → fallback to "users" (with warning)
- No mappings or no match → fallback to "users"
- Existing users not reassigned on re-login (AC3)
Changes:
- config_manager.py: Add group_mappings config with backward compatibility
- sso_provisioning_hook.py: Implement matching logic and fallback behavior
- oidc_provider.py: Parse ID token for groups, remove insecure logging
- oidc_manager.py: Pass groups from token to provisioning hook
- config_service.py: Handle both dict and list mapping formats
- routes.py: Fix group_manager injection during config reload
- config_section.html: Display mappings with optional names in UI
- Tests: Update for ID token parsing and new mapping format
Security: Removed raw ID token payload logging (only logs claim names)
- Add create_mock_id_token() helper function to generate test JWT tokens - Update all get_user_info() calls to pass both access_token and id_token - Remove httpx mocking since ID token parsing doesn't make HTTP calls - Fix test_sso_callback_rejects_invalid_state by properly initializing oidc_manager All 59 OIDC tests now passing.
jbendson
force-pushed
the
feature/sso-group-mapping
branch
from
3f0cfc8 to
a84b087
Compare
- Update version in all documentation files - Add CHANGELOG entry for SSO group mapping feature - Update version references in architecture and query guide
jbendson
force-pushed
the
feature/sso-group-mapping
branch
from
a84b087 to
257010d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.