Move to AD user source to OpenID identity provider

Hello,

I have a perspective project with Igniton 8.1.43. For user authentication we are using an AD/Internal Hybrid (user_AD) user source and a internal user source as AD failover (user_internal). In addition, we synchronise user_internal from user_AD sources by scripting.

The perspective project is setup with an automatically generated identity provider user_AD and the user source user_AD.

Now we want to move to an OpenId Identity provider, but we expect to maintain the roles defined in user sources.

We have some doubt about the use of OpenID identity provider:

1. Is it feasible match OpenID users with an internal usersource automatically or using scripting. Some views and actions in perspective are checking user roles.
2. What happens if the identity provider fails? How can we use the internal user source as failover?
3. Actually, we have set some users (administrators or API users) only on internal user source because these are internal users and not are include on Active Directory. If we move to OpenID IdP, can this user login to perspective project?

Many thanks in advance

1. No idea. If OpenID has an API, then probably yes.

2. No. Only an internal Identity Provider can fail over, as that is a property of the user source. Identity providers themselves have no failover functionality at all.

3. No.

As @pturmel said on everything, you're going to be at the mercy of the IdP you use. If you need to maintain some internal users, you're going to have to use project inheritance to have one project use the internal IdP and the other use the external IdP. You'll have to use security levels and mapping to get them to both line up to the same Authenticated/Roles/whatever roles though to make your life easier (you did use the isAuthorized() function and not hasRole() right?)