Introducation

The CoreOne Suite offers a mechanismus to synchronize permissions from an external identity provider. This functionality is used, when permissions are managed in the external identity provider but also need to be reflected to the local permissions.

How it works

Configuration

In order to sync the external roles, a external role sync configuration must be present in the configuration (servicecorelogin_external_role_sync_configuration). The configuration consists of the following data:

In addition to the role sync configuration, you have to make sure, that all associated applications have a correct role claim configured. The role claim is used to determinate in which claim the permissions are being issued. If none is set, the comparison will not work correctly and the role sync will be executed on each login.

Role Extraction

The external permissions are first extracted from the external token (OIDC) or assertion (SAML) and persisted to the external user user object. The roles from the external user are then compared to all local role claims of the configured application and a list of Roles to add and a list of Roles to remove is calclulated. This is all done directly in the CoreOne Authentication Service.

Role Synchronization

If there are any Roles to add or Roles to remove, the CoreOne Authentication Service will call the CoreOne Application Services to synchronize the roles in the Access Management space. This is done by the following API call that you can find the log externalrolesync/start-sync-process.

This process will start asynchronous in the CoreOne Application Services and a reference id is returned.

Wait for result

The CoreOne Authentication Service will then wait until the process has been finished. This is done by checking the table servicecorelogin_external_role_sync_process where the date_finished_utc and reference_id is checked.