Idea #15529
Updated by Peter Amstutz over 5 years ago
[[Multi-cluster user database]]
h2. Configuration
Add Login.LoginCluster config mentioned on the [[Multi-cluster user database]] wiki
h2. Login
# Instead of logging in to a local SSO provider, can designate a home cluster (cluster A) where login is always sent
# After logging in, user is sent to original cluster (cluster B) with a token issued by the home cluster (cluster A)
# Users from LoginCluster (cluster A) have extra trust on cluster B (respects admin flag)
h2. UserGet / UserUpdate APIs
In controller, when requesting or updating a user uuid, proxy the request to the master cluster -- i.e., the cluster whose ID matches the user UUID prefix.
In controller, when making a request to a remote cluster as part of a federated query, check whether the remote cluster is trusted to issue tokens for the user UUID in play (according to the master cluster's config RemoteClusters.$remoteclusterid.AuthenticateLocalUsers) -- if so, pass the token through unmodified instead of passing a salted token.