Hi
As you know In the latest siteminder patches, a new feature has been added that allows filtering the authorized users on user stores when creating an oidc provider.
My question is: why was this feature added on the "provider" side and not on the "client" side (as it happens for SAML, for example)?
I find it inconvenient because it makes me duplicate the provider configurations (the directory, the mapping between claims and attributes, the scopes and therefore the mapping between claims and scopes). Wouldn't it be better to have a single provider and then let each client choose the scope they need and optionally apply a filter on the authenticated user base?
There must be a reason why this design choice was made, and maybe in some cases it is more convenient as it is, but I can't figure it out right now.
By the way, I created an idea to allow filtering users on the client side as well ( https://community.broadcom.com/idea/oidc-authorization-user-filters-on-oidc-client )
What do you think about that ?
Marco