Story #13255
Updated by Peter Amstutz almost 7 years ago
Currently, a user who authenticates for the first time to a "local" cluster using their existing account at a "remote" cluster (their "home" cluster) is automatically activated if
* Their account is active at their "home" cluster, *and*
* "Auto-activate new users" is enabled on the local cluster.
Otherwise, the user lands in an inactive account.
Options:
* auto activate federated remote accounts
* allow specific approval and activation of remote accounts (??? does this mean current behavior?)
h2. Proposed behaviors
* API configuration disables local logins: when visiting the API server's login endpoint, redirect to the login endpoint of the default "home" cluster, user will still be (eventually) returned to "remote" workbench. "Home" API server needs to know to send a _salted_ token back to the remote workbench. This should probably also imply honoring the "is_active" flag.
* Auto activate: list of cluster ids for which it honors the "is_active" flag (current behavior is to ignore the is_active flag and use the local cluster's autoactivate policy)