Synchronize federated claims with grants
Hi, just a quick question: is it possible to synchronize upstream IdP claims with user project grants? I know, currently it's possible to do a one-time sync using an
Post Creation action. But the claims in the upstream IdP can change and that action only runs once (or is it run also on update, when the Automatic update is checked?)...8 Replies
I mean there should be a
Post Update trigger to solve this issue? As for Post Creation - it only runs once 😦You can use the same to run post authentication to update claims.
@FFO what we need is to update grants (so only some users have access trough "project roles exist" setting and it's been provisioned using the federated claims), i.e.:
this api call is only available in
Post Creation trigger, that only runs once, how do we update Grants continuously?Ah, sorry I thought we had that availbale on post-auth as well.
As an alternative you could use the http.module and call our api with a rest call to make this manipulation
Yeah, this was the alternative we though about, but
Post Update would be nice, but nevertheless thanks 🙏Yeah we heard that! That is why actions v2 allow you to intercept the http call or in this case react to events made from zitadel.
FYI @fabienne just as an example of a real world use-case to benchmark v2 against 😄
@FFO yeah, this looks promising, but is it already available? maybe behind a feature flag?
V2 actions are available https://zitadel.com/docs/concepts/features/actions_v2
But they lack some thing. I think events are not yet in there and so signature for the call made to your end.
ZITADEL Docs
By using ZITADEL actions V2, you can manipulate ZITADELs behavior on specific API calls, events or functions.