Project

General

Profile

Actions

Idea #15558

closed

[SSO] [API] Identify users by (alternate) email addresses

Added by Peter Amstutz over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release relationship:
Auto

Description

Goal: identify users by email address as a fallback when identity_url is different (due to a different upstream login) or user changes their primary email (assumes the old email is listed as an alternate).

SSO

When providing callback response to API, include all upstream-provided email addresses as alternates in addition to the primary.

Login

When logging in, if the identity_url doesn't match a user, look up user by email address, filtering out remote users:

  1. try primary address first
  2. then try alternate addresses

If more than one address matches: if there is exactly one match without a redirect, use that. If all matches have a redirect: if all redirect to the same account (or there is just one match), use that. If it is still ambiguous which account to use, login fails.

Once the primary user account has been selected, update the identity_url, email address, and name based on the SSO callback.

Additionally, because it is being used for identity, the 'email' column should no longer be user editable.

Database changes: add uniqueness constraint to identity_url (it is already de facto unique, but it ought to be enforced.)


Subtasks 2 (0 open2 closed)

Task #15568: Review 15558-alternate-email-addresses in SSO repoResolvedEric Biagiotti08/22/2019Actions
Task #15587: Review 15558-alternate-email-addresses in arvadosResolvedEric Biagiotti08/22/2019Actions

Related issues

Related to Arvados - Idea #15529: [API] [Controller] Share user account database with a group of trusted clustersResolvedPeter Amstutz08/22/2019Actions
Has duplicate Arvados - Idea #15477: Use email address for Arvados account linkingDuplicateActions
Has duplicate Arvados - Idea #15493: Allow admin to configure Unix account idDuplicateActions
Actions

Also available in: Atom PDF