Skip to content

Add multi-ingress domains to SCIM IdPs #4778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 24 commits into
base: develop
Choose a base branch
from
Open

Add multi-ingress domains to SCIM IdPs #4778

wants to merge 24 commits into from

Conversation

supersven
Copy link
Contributor

@supersven supersven commented Sep 17, 2025
edited
Loading

Ticket: https://wearezeta.atlassian.net/browse/WPB-20052

Checklist

  • Add a new entry in an appropriate subdirectory of changelog.d
  • Read and follow the PR guidelines

@supersven supersven force-pushed the sventennie/scim-idp-with-domain branch from 5b2b73f to 559a318 Compare September 17, 2025 13:20
@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Sep 17, 2025
@supersven supersven changed the title Sventennie/SCIM idp with domain Add multi-ingress domains to SCIM IdPs Sep 17, 2025
@supersven
Add domain field to IDP config
c682b91
@supersven
Add simple integration test (create idp)
1bcbf9a
@supersven
Improve test (get & update)
5581d66
@supersven
Only write the domain field for multi-ingress domains
03655c0 
We have to set some constraints on this field that wouldn't fit in the
general case.
@supersven
Ensure only one Idp can be created for multi-ingress
d2013f0
@supersven
Add domain column to idp table in cassandra-schema.sql
e8c4384 
This should be up-to-date with what the migrations create.
@supersven
Rename test
b996b58
@supersven
Ensure that the existing non-multi-ingress behaviour hasn't changed
0d08b8c
@supersven
Fix typo
b932503
@supersven
Improve test
d93cccb
@supersven
Reduce duplication by extracting a helper function
80a8adf
@supersven
Add comment
b4f7260
@supersven
Add test for unconfigured domains
bab413c
@supersven
Delete debug print
adb44e0
@supersven
Cleanup tests
30c3d4b
@supersven
Add changelog
be7bd3b
@supersven
Add docs
35b7e35
@supersven
Reformat
e42648f
@supersven
Unify bindings of same values
215f1a9
@supersven
make cassandra-schema
8c64d98
@supersven
Delete obsolete TODO
3afa5bc
@supersven
Remove bogus name in pattern matches
9fb0a05
@supersven
Improve one ingress per domain test
c2457d1
@supersven supersven force-pushed the sventennie/scim-idp-with-domain branch from 6a8da79 to c2457d1 Compare September 19, 2025 06:35
@supersven supersven marked this pull request as ready for review September 19, 2025 06:36
@supersven supersven requested review from a team as code owners September 19, 2025 06:36
@supersven supersven requested a review from a team as a code owner September 19, 2025 06:36
@supersven supersven requested a review from fisx September 19, 2025 06:36
@supersven
Copy link
Contributor Author

Hey @fisx 👋

May I ask you to review this? This PR touches sensitive areas and you surely have most knowledge/context here...

fisx
fisx reviewed Sep 25, 2025
View reviewed changes
changelog.d/2-features/multi-ingress-idp-domains
in later lookups, at most one IdP can be configured per multi-ingress domain.
If multi-ingress is not configured or it's not configured for the specific
domain, no `domain` field gets added to the IdP. This guards against creating
multiple IdPs and then assigning them to multi-ingress domains. Thus, users who
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you mean "guards against a team having no multi-ingress, but several idps that are only distinguished by domain (because domain is part of the database key)?

we do allow several idps per team, though, right? except there is some complication with scim and saml, and associating the two for one ipd, not sure what the current implementation status there is.

not sure this makes sense, but i'll leave it as a note to self so i can clarify later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fisx fisx fisx left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@supersven @fisx @zebot