Feature Wiki

Information about planned and released features

Tabs

Role assignment of local roles for OpenID Connect (OIDC) Authentication

Page Overview

1 Initial Problem
2 Conceptual Summary
3 User Interface Modifications
- 3.1 List of Affected Views
- 3.2 User Interface Details
- 3.3 New User Interface Concepts
- 3.4 Accessibility Implications
4 Technical Information
5 Privacy
6 Security
7 Contact
8 Funding
9 Discussion
10 Implementation

1 Initial Problem

The current OpenID Connect implementation in ILIAS supports role assignment limited to global roles only. Local roles are not supported. The advantages of local roles in "private" categories in the magazine cannot be taken. Although it is possible to maintain global roles for the same purpose, it can quickly become quite error-prone and time-consuming.
Side Note: Other Authentication Providers (e.g. LDAP) support Role Assignment of local roles already. Hence it could be a kind of reuse and streamlining.

2 Conceptual Summary

The OpenID Connect implementation should be extended to support role assignment of local roles too (ideally both user defined and automatically generated local roles).

Add new form or enhance currently available form to be able to add/change/delete assignment rules for local roles too.
- List of local roles can have a lot of members, hence a static list (like today for global roles) seems not to be the best solution
- perhaps reuse and adaptation of LDAP Role assignment form to use with OpenID Connect
Automatically assign and/or synchronize (add/change/delete) also local roles to ilias user accounts due to OpenID Connect information while login.

Important: We would like to use the "UI Inputs" and the "UI Table" and put form and table on separate views.

3 User Interface Modifications

3.1 List of Affected Views

Administration > Authentication and Registration > OpenID Connect > Role Assignment

3.2 User Interface Details

The Role assignment form could be extended with regular input elements as follows (mockup very similar to LDAP authentication role assignment)

3.3 New User Interface Concepts

There aren't completely new elements, all user interface elements are already in use with LDAP Authentication at least.

3.4 Accessibility Implications

There aren't any known new acceccibility implications.

4 Technical Information

All functions like selecting roles, the ui and the mapping are already implemented in the LDAP auth provider. The only new code is extracting the required information from the oidc token instead of the ldap return. It should be checked how much code can be reused and if moving it to a more central module like authentication would provide a benefit instead of two sperate implementations.

5 Privacy

The SSO role assignment specifies which ILIAS role will be assigned to an user account. Furthermore there isn’t any other processing of personal data.

6 Security

There aren't any known special security relevant changes

7 Contact

Author of the Request: Dreßler, Andreas [dresslan]
Maintainer: Seeland, Per Pascal [PerPascalSeeland]
Implementation of the feature is done by: {The maintainer must add the name of the implementing developer.}

8 Funding

If you are interest in funding this feature, please add your name and institution to this list.

perhaps SID (but still to clarify conditions)

9 Discussion

Seeland, Per Pascal [PerPascalSeeland] Thanks for this proposal. Aligning the role mapping between ldap and oidc does make a lot of sense, as they are both very similar.

JourFixe, ILIAS [jourfixe], 12 JUN 2023: We highly appreciate this request and schedule the feature for ILIAS 9. To clarify the UI modification: unlike shown in chap 3.2 there will no longer be a form and a table on one screen but one table for active rules and a button in the tool bar to create a new rule (triggering a modal with the necessary inputs).

Jansen, Michael [mjansen]: In the legacy form (in ILIAS 8) used for the LDAP local role assignments, an autocomplete field is used which offers suggestions while typing.

As war as we know there is currently no support for autocompletes in the UI framework? Is there any alternative that can be used to make a local role search/selection user friendly? Even the new UI tag input does not offer a backend data source, all possible suggestion have to be provided at render time, which could be a huge list.

Alternative: As it is an feature for administrators, we could of course require administrators to enter the local role titles. A server-side validation will be implemented anyway

Could we also re-schedule this for ILIAS 10? We will not be able to finish this for ILIAS 9.

JourFixe, ILIAS [jourfixe], 07 AUG 2023 : We want to keep the current functionality of autocompleting role titles and need therefore a new input field in the UI framework that supports TypeAhead. Feature is re-scheduled for ILIAS 10.

Tesche, Uwe [utesche] 07 AUG 2023: the corresponding autocompletion functionality for LDAP lacks the ability to distinguish local roles with identical titles. A PR for LDAP to address this problem is still open: https://github.com/ILIAS-eLearning/ILIAS/pull/3191.
Maybe, when implemented for OpenID, this can be deployed to LDAP too.

10 Implementation

{ The maintainer has to give a description of the final implementation and add screenshots if possible. }

Test Cases

Test cases completed at {date} by {user}

{Test case number linked to Testrail} : {test case title}

Privacy

Information in privacy.md of component: updated on {date} by {user} | no change required

Approval

Approved at {date} by {user}.

Last edited: 23. Aug 2023, 13:23, Jansen, Michael [mjansen]

Search

Status of Feature

Release Status

+ Project Page

Related Component/Module

Development Status

Funding required

Funded by

Testcases

Not available yet

Approval by Customer

Not approved yet