groups and users synchro

authentication/AzureAD/README_WITH_CLIENT_SECRET.md

@@ -7,6 +7,7 @@
     - [Prepare your environment for the ODM installation](#prepare-your-environment-for-the-odm-installation)
         - [Create a secret to use the Entitled Registry](#create-a-secret-to-use-the-entitled-registry)
         - [Create secrets to configure ODM with Microsoft Entra ID](#create-secrets-to-configure-odm-with-microsoft-entra-id)
+        - [Create the secret allowing to synchronize Decision Center Users/Groups with Entra ID](create-the-secret-allowing-to-synchronize-decision-center-users&groups-with-entra-id)
     - [Install your ODM Helm release](#install-your-odm-helm-release)
         - [Add the public IBM Helm charts repository](#add-the-public-ibm-helm-charts-repository)
         - [Check that you can access the ODM chart](#check-that-you-can-access-the-odm-chart)
@@ -290,6 +291,32 @@
         --from-file=webSecurity.xml=./output/webSecurity.xml
     ```
 
+4. Create the secret allowing to synchronize Decision Center Users/Groups with EntraID.
+
+This section is optional.
+
+ODM Decision Center allows to [manage users and groups from the Business console](https://www.ibm.com/docs/en/odm/9.0.0?topic=center-enabling-users-groups) in order to set access security on specific projects.
+The Groups and Users import can be done using an LDAP connection.
+But, if the openId server also provides a SCIM server, then it can also be managed using a SCIM connection.
+
+However, in some context, it's not possible to use LDAP or SCIM to import groups and users inside Decision Center.
+We will explain here how to synchronize Decision Center Groups and Users with EntraID by leveraging EntraID and Decision Center rest-api.
+
+A script will be responsible to get groups and users located in the EntraID tenant using the Microsoft Graph API :
+- [for users](https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0&preserve-view=true)
+- [for groups](https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http)
+
+Then, it will generate a [group-security-configurations.xml](https://www.ibm.com/docs/en/odm/9.0.0?topic=access-optional-user-liberty-configurations#reference_w1b_xhq_2rb__title__3) file that will be consumed using the [Decision Center rest-api](https://www.ibm.com/docs/en/odm/9.0.0?topic=mufdc-creating-users-groups-roles-by-using-rest-api) to populate Groups and Users in the Administration Tab.
+
+In a kubernetes context, this script can be called by a CRON job.
+Using the new ODM sidecar container mechanism, it can also be managed by the Decision Center pod himself.
+
+    ```shell
+    kubectl create secret generic users-groups-synchro-secret \
+        --from-file=sidecar-start.sh \
+        --from-file=generate-user-group-mgt.sh \
+    ```
+
 ## Install your ODM Helm release
 
 ### Add the public IBM Helm charts repository
@@ -326,6 +353,10 @@ You can now install the product. We will use the PostgreSQL internal database an
           --set internalDatabase.runAsUser='' --set customization.runAsUser='' --set service.enableRoute=true
   ```
 
+> **Note**
+> If you want the optional synchronization of groups and users with Entra ID, you have to add to the helm install command :
+> --set decisionCenter.sidecar.enabled=true --set decisionCenter.sidecar.confSecretRef=users-groups-synchro-secret
+
 #### b. Installation using Ingress
 
   Refer to the following documentation to install an NGINX Ingress Controller on:
@@ -350,6 +381,10 @@ You can now install the product. We will use the PostgreSQL internal database an
 > **Note**
 > By default, NGINX does not enable sticky session. If you want to use sticky session to connect to DC, refer to [Using sticky session for Decision Center connection](../../contrib/sticky-session/README.md)
 
+> **Note**
+> If you want the optional synchronization of groups and users with Entra ID, you have to add to the helm install command :
+> --set decisionCenter.sidecar.enabled=true --set decisionCenter.sidecar.confSecretRef=users-groups-synchro-secret
+
 ## Complete post-deployment tasks
 
 ### Register the ODM redirect URLs

authentication/AzureAD/generate-user-group-mgt.sh

@@ -145,6 +145,17 @@ XML_CONTENT+="\n</dc-usermanagement>"
 
 # Output the XML to a file
 echo "Writing XML to output file..."
-echo -e "$XML_CONTENT" > usermanagement.xml
+echo -e "$XML_CONTENT" > /tmp/group-security-configurations.xml
 
-echo "Script completed. XML file 'usermanagement.xml' generated successfully."
+echo "Script completed. XML file 'group-security-configurations.xml' generated successfully."
+
+echo "Getting ODM access token..."
+ODM_ACCESS_TOKEN=$(curl -s --location --request POST "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
+--header "Content-Type: application/x-www-form-urlencoded" \
+--data-urlencode "client_id=$CLIENT_ID" \
+--data-urlencode "scope=$CLIENT_ID/.default" \
+--data-urlencode "client_secret=$CLIENT_SECRET" \
+--data-urlencode "grant_type=client_credentials" | jq -r '.access_token')
+
+echo "Calling /v1/repository/users-roles-registry Decision Center Endpoint..."
+curl -X 'POST' 'http://localhost:9060/decisioncenter-api/v1/repository/users-roles-registry?eraseAllUsersAndGroups=true' -H 'accept: */*'   -H 'Content-Type: multipart/form-data'   -F 'file=@/tmp/group-security-configurations.xml;type=text/xml' -H "Authorization: Bearer $ODM_ACCESS_TOKEN"

authentication/AzureAD/sidecar-start.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+while true
+do
+  echo "synchronize groups and users every minute"
+  /tmp/sidecarconf/generate-user-group-mgt.sh -i <CLIENT_ID> -x <CLIENT_SECRET> -t <TENANT_ID> -v
+  sleep 60
+done