Q1. What is the problem that you are trying to solve?
Currently, when using Microsoft Entra ID (Azure AD) for SSO with Passbolt, group memberships must be managed separately in Passbolt. This creates duplicate administrative work and increases the risk of inconsistencies between Entra ID and Passbolt.
Success measure: When a user’s group membership changes in Entra ID, Passbolt automatically updates its groups without manual intervention.
Q2 - Who is impacted?
This affects all organizations using Microsoft Entra ID for identity management and Passbolt for password sharing. For large enterprises with multiple teams and dynamic group memberships, the benefit is significant. It could impact hundreds or thousands of users in such environments.
Q3 - Why is it important and/or urgent?
It is strategic because it aligns with centralized identity and access management best practices. Many organizations aim to reduce redundant administration and enforce least privilege through automated group-based access. This feature would also improve security and compliance by ensuring group membership is always up to date.
It supports projects where Passbolt is integrated into enterprise IAM workflows.
Q4 - What is your proposed solution? (optional)
Enable Passbolt to read Entra ID group claims from the OIDC token during SSO and map them to Passbolt groups.
-
Allow mapping by Object ID, sAMAccountName, or display name.
-
Provide configuration options for filtering which groups are included.
-
Handle Entra ID token size limits gracefully (e.g., fallback when “groups” claim is omitted due to overage).
Example User Story:
As an administrator, when a user logs in via Entra ID SSO, their Passbolt group memberships are automatically updated based on Entra ID group claims, so that I don’t need to manage groups twice.