[
https://issues.apache.org/jira/browse/OAK-4087?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15363881#comment-15363881
]
angela commented on OAK-4087:
-----------------------------
It works pretty much the same way for local groups: the automembership
configuration option of a given {{DefaultSyncHandler}} instance will be picked
up by the {{ExternalPrincipalConfiguration}}, mapped to a given IDP for which
the {{SyncHandler}} has been registered (see {{ExternalLoginModule}}) and
ultimately evaluated by the {{ExternalGroupPrincipalProvider}} in order to make
sure a given {{Subject}} is not only populated with the principals defined on
the external IDP but also with the auto-membership principals. Note that the
automembership defines the group IDs and the corresponding call will first
resolve the {{Group}} (as it used to do it before) and then place the
associated principal in the set of all (group) principals as requested by
{{PrincipalProvider.getGroupMembership(Principal)}} and
{{PrincipalProvider.getPrincipals(String)}} respectively.
Hope that helps. Btw: I would appreciate if you could take a look at the
corresponding documentation section and let me know if there is something that
needs additional clarification.
> Replace Sync of configured AutoMembership by Dynamic Principal Generation
> -------------------------------------------------------------------------
>
> Key: OAK-4087
> URL: https://issues.apache.org/jira/browse/OAK-4087
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Reporter: angela
> Assignee: angela
> Labels: performance
> Fix For: 1.5.3
>
> Attachments: OAK-4087.patch, OAK-4087_documentation.patch
>
>
> the {{DefaultSyncConfig}} comes with a configuration option
> {{PARAM_USER_AUTO_MEMBERSHIP}} indicating the set of groups a given external
> user must always become member of upon sync into the repository.
> this results in groups containing almost all users in the system (at least
> those synchronized form the external IDP). while this behavior is straight
> forward (and corresponds to the behavior in the previous crx version), it
> wouldn't be necessary from a repository point of view as a given {{Subject}}
> can be populated from different principal sources and dealing with this kind
> of dynamic-auto-membership was a typical use-case.
> what does that mean:
> instead of performing the automembership on the user management, the external
> authentication setup could come with an auto-membership {{PrincipalProvider}}
> implementation that would expose the desired group membership for all
> external principals (assuming that they were identified as such).
> [~tripod], do you remember if that was ever an option while building the
> {{oak-auth-external}} module? if not, could that be worth a second thought
> also in the light of OAK-3933?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
