We have an application that is using Auth0 as the SP.
There is an Enterprise SAML connection to internal (acting as IdD), which is authenticating users to our internal Active Directory
We are looking at options to provide users certain roles / permissions in the application. Currently Active Directory is the authoritative store as to who has a certain role based on groups
The internal users are added to Specific Active Directory Group which provides them certain roles in the application. We can pass this as an attribute, part of the token to Auth0
However, we also have a requirement where we need to provide a list of users in a certain role (within the application)
-
I can add this to the Tokens passed to he app using rules. This would provide the user who is signing in the correct roles, however does not help with drop down list.
-
Can we have it update the roles in Auth0. (Add the user as a member of an Auth0 role). These roles would then get added to the users access token. This would provide the user who is signing in the correct roles, however does not help with drop down list. However, it may provide the option for the application to query Auth0 as to what accounts are in a role
Options to provide drop down list in application:
- Have app to query Auth0 to see who is a member of a certain role to then display a menu.
- Have app query Active Directory directly to collect the users in a certain role / group.
- Have app query another database that has the users listed who are in a certain role (somehow we sync it with Active Directory based on Group Membership)
Question 1
what is the best option / design for the app.
If we need to add users to role in Auth0. Can it be done automatically via SAML connection. Maybe during logon. How can this be done
Question 2
Is there a was to sync these Active Directory Groups to Auth0 roles on a schedule. (not just during authentication.