providers/scim: modify filtergroup(s) behavior to allow (multi-)group filtering

[ImmanuelVonNeumann]

Details

This PR aims to change add group filtering to the SCIMProvider by incorporating the following changes:

• Rename and modify filter_group to filter_groups (including django migrations to keep a previously selected filter_group present)
• Multiple groups can be selected as filter_groups
• Only groups within filter_groups are synced to the SCIM Server
• Only users which are members of at least one group within filter_groups are synced to the SCIM Server

Reason:
Most SCIM Clients allow groups to be filtered, however authentik currently does not.
This issue has been mentioned in #6065 which has been given the enhancement/confirmed-label.

Among the many use-cases one would be a multi-tenant setup where groups of one tenant should not be visible to another tenant.

Note

Since this does change group-syncing behavior (i.e. not syncing previously synced groups anymore) I suggest this change to be implemented in a major release.
Additionally, blueprints for scim_providers need to adapt to the new name filter_groups.

Fixes #6065

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	a732c97
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/67efca6a20e4e10008e7a6cf

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	a732c97
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/67efca6a87273a0008a79fd6

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.82%. Comparing base (d72def0) to head (7a54990).
Report is 39 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13550      +/-   ##
==========================================
+ Coverage   92.77%   92.82%   +0.05%     
==========================================
  Files         794      797       +3     
  Lines       40545    40857     +312     
==========================================
+ Hits        37614    37926     +312     
  Misses       2931     2931              

Flag	Coverage Δ
e2e	47.78% <1.78%> (-0.21%)	⬇️
integration	24.12% <0.89%> (-0.16%)	⬇️
unit	90.60% <100.00%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[BeryJu]

Hi, thanks for the PR!

When I added the filter_group it was actually more so thought of as a "temporary" solution with the intended solution being that the SCIM provider would use the policies bound to the application the provider is a backchannel provider of to figure out which users to sync. However this would still leave room for either always syncing all groups or syncing all groups the synced users in.

There is also an already existing option for doing this more dynamically which is having a custom user/group mapping that dynamically raises SkipObject, which allows for more fine-grained rules for skipping certain objects

[ImmanuelVonNeumann]

Hi, thanks for the PR!

When I added the filter_group it was actually more so thought of as a "temporary" solution with the intended solution being that the SCIM provider would use the policies bound to the application the provider is a backchannel provider of to figure out which users to sync. However this would still leave room for either always syncing all groups or syncing all groups the synced users in.

There is also an already existing option for doing this more dynamically which is having a custom user/group mapping that dynamically raises SkipObject, which allows for more fine-grained rules for skipping certain objects

Thanks for your fast response, @BeryJu!

From my understanding the final solution could be that:

• Users who have access to the connected application are being synced
• Groups who are in filter_groups are being synced
• Users gain memberships for groups they are in if the group is also within filter_groups (since others are not synced)

Is this correct?

---

One further question: I could not find documentation on the implications of the field "filterset_fields" within the model.
Is there a documentation for it?

[BeryJu]

Hi, thanks for the PR!
When I added the filter_group it was actually more so thought of as a "temporary" solution with the intended solution being that the SCIM provider would use the policies bound to the application the provider is a backchannel provider of to figure out which users to sync. However this would still leave room for either always syncing all groups or syncing all groups the synced users in.
There is also an already existing option for doing this more dynamically which is having a custom user/group mapping that dynamically raises SkipObject, which allows for more fine-grained rules for skipping certain objects

Thanks for your fast response, @BeryJu!

From my understanding the final solution could be that:

• Users who have access to the connected application are being synced
• Groups who are in filter_groups are being synced
• Users gain memberships for groups they are in if the group is also within filter_groups (since others are not synced)

Correct, I think having SkipObject in a property mapping as an advanced option makes sense but having a static list of groups to sync is a more accessible way. We can add the policy-based user-filtering at a later stage.

One potential issue that could arise when this is merged is what happens with groups that were previously provisioned and are now outside of the group filter, they would still exist in authentik and the remote system but would not get further updates (and currently would not be correctly deletable iirc)

Is this correct?

One further question: I could not find documentation on the implications of the field "filterset_fields" within the model. Is there a documentation for it?

filterset_fields comes from django-filters, see https://django-filter.readthedocs.io/en/latest/guide/rest_framework.html

[ImmanuelVonNeumann]

One potential issue that could arise when this is merged is what happens with groups that were previously provisioned and are now outside of the group filter, they would still exist in authentik and the remote system but would not get further updates (and currently would not be correctly deletable iirc)

I believe so, if the previously sent state is not currently being tracked.
Also group-membership would only be synced for filtered groups.

To solve this, the sent state would need to be tracked so that differences to it can be identified and remediated on the next sync.

filterset_fields comes from django-filters, see https://django-filter.readthedocs.io/en/latest/guide/rest_framework.html

Thanks!

[ImmanuelVonNeumann]

I believe the checks failed due to issues in uv, can we do a rerun of failed jobs?

[rissson]

@ImmanuelVonNeumann you might need to git merge main for the issues to go away

[tanberry]

Thank you @ImmanuelVonNeumann for this PR (and for the detailed description, much appreciated!). From a Docs perspective, the only comment/question is whether we should tell users how to configure the group filters, but maybe that is outside of this PR's scope, and/or super-simple and doesn't need further explanation? Otherwise it looks great to me, and thanks for remembering to update the docs!

[ImmanuelVonNeumann]

From a Docs perspective, the only comment/question is whether we should tell users how to configure the group filters, but maybe that is outside of this PR's scope, and/or super-simple and doesn't need further explanation?

I agree.
Additionally, I believe this sentence from the docs change might be confusing:

Additionally, optional group filters can be configured to only synchronize the users that are members of the selected groups and the groups themselves.

I can work on an updated version where:

• Documentation about group filters is moved into a sub-header within "Filtering"
• That section contains an explanation about where group filters can be configured
• Impact of the selected group filters is better outlined

[rissson]

Additional feedback from existing users of the feature, this is actually a breaking change, and would prevent all groups from being synced, even if filtering users.

[ImmanuelVonNeumann]

Additional feedback from existing users of the feature, this is actually a breaking change, and would prevent all groups from being synced, even if filtering users.

Thank you very much for your feedback @rissson
However, I am not sure if I understand you correctly.

If you are saying that previously synced groups will not be synced when using a filter group, then that is indeed correct.

While the same users will be synced, with this change, the groups fill also be filtered by the selected filter groups.
However, from my understanding this is more in line with the filtering logic of most IdP solutions.

I have also noted this in the PR:

Since this does change group-syncing behavior (i.e. not syncing previously synced groups anymore) I suggest this change to be implemented in a major release. Additionally, blueprints for scim_providers need to adapt to the new name filter_groups.

Some of the benefits I see here:

• Only groups that are designed for a specific scim sync are being evaluated (currently syncing can fail due to the scim-server. For example if the server expects a specific group attribute)
• Currently, groups cannot be isolated in the scim sync which can lead to information exposure when authentik is used with multi-tenancy (group from clientA will be synced to the scim-server of clientB)
• More in line with other IdP solutions (as noted above)

Alternatively, another attribute could be used for group-filtering.
However, I chose not to do this as it would be confusing to have an attribute named "filter group" and an additional attribute used to filter groups.

[ImmanuelVonNeumann]

@rissson I think I understand your point better now (please correct me if wrong).

As long as user-filtering is tied to filter groups there are use-cases (especially when groups shared among multiple "filter groups" are involved) which cannot be implemented with this solution.

Example:
There are two SCIM servers for it- and non-it personnel. However there is a group "first responder" which intersects both groups and should be available on both servers.
The only solution is to add this group to both filter groups, which in turn now syncs all members of "first responder", (even non-it/it personnel) to both servers.

I think the best solution here would be as mentioned by @BeryJu

When I added the filter_group it was actually more so thought of as a "temporary" solution with the intended solution being that the SCIM provider would use the policies bound to the application the provider is a backchannel provider of to figure out which users to sync. However this would still leave room for either always syncing all groups or syncing all groups the synced users in.

Where the sync of users is determined by their permissions to "view" the application of the backchannel provider and sync of groups is determined by the filter groups attribute.

[ImmanuelVonNeumann]

Closing this in favor of #13947