Hey there, I’ve been looking for a way to automatically assign some users certain roles (I’m referring to native Auth0 RBAC “core” roles, not the Auth Extension ones that live in app_metadata) based on their Okta Group membership via SCIM. I’m able to get the group membership information mapped correctly, but I think I’m stuck after this. The SCIM configuration doesn’t seem to have any additional mapping syntax to manage the user’s assigned roles. I’ve also thought about using Actions for this, but there doesn’t seem to be any triggers that would run after SCIM user updates.
So far I can think of only two ways to accomplish this, both with drawbacks:
- Run an Auth0 Management API client inside the post-login Action to assign user roles based on profile information. However this seems like a very heavy-handed approach, and also I have no idea if it’s too late for roles assigned during the post-login Action to affect the built-in RBAC checks for the login session
- Run an periodic external cron job to reconcile every user’s SCIM-synced profile and roles. While this would definitely work it seems to go against the spirit of SCIM’s identity-sourced pushes. There will necessarily be a period of time when the roles are inconsistent.
I’m wondering if I’m missing something in the Auth0 docs, or if these are really my options right now?