Closed
Description
This task is about onboarding organization members by federating their accounts from the identity provider associated with an organization.
The basic flow will be as follows:
- By reaching the authorization endpoint, the server will first ask for the username (no credentials). In other words, executing an identity-first login.
- Once the user provides a username and the value is an e-mail that matches the domain of an organization, the user is automatically redirected to the identity provider associated with the organization
- Once the user is authenticated in the identity provider and redirected back to the organization 5C17 realm, the regular first browser login flow is executed where, at the end, the federated user is added as a member of an organization.
The following constraints will be enforced when onboarding organization members from an identity provider:
- If the email from the identity provider (e.g.: as a result of calling the user info endpoint) does not match the organization domain, the flow will stop
- Using a broker not associated with an organization that matches the email domain of the user will stop the flow
- The authentication flow defaults to the default steps set to the browser flow. For instance, ask for a username and password
- There is no way to choose identity providers when providing the username on the login page
- Linking accounts (when there is an account already with the same email) should work just like if using a regular identity provider (not bound to an organization)
- Only a single identity provider is supported