Hi all, how can I invite a new user (a dev) in our organization ? We tried to add a user from the UI, but we do not know the OIDC id. We tried to invite the user using the API but we got an error

Invitation endpoint is turned off.

We can't add our new devs in the organization. Could you help me please ?

Hey Alexandre, I’ve checked your GD Cloud Organization from my end. Allow me to explain what’s happening here. During the Trial, your Org was configured to utilize GoodData’s OIDC provider. At this point, this is enforced by a Setting on our side, that both prevents admins from switching out of our OIDC, and also enables the Invite button + endpoint for creating new users (since the users do not have access to the OIDC). After an Org goes from Trial to Prod, we usually disable this Setting, to allow customers to switch to their own OIDC - which is the most common authentication use-case. This is explained in the article Set Up Authentication Using OpenID Connect Identity Provider. In this case, the setting was turned off for your Org, but it looks like you haven’t made the switch to your own OIDC. While everything will still be functional, the problem is that you are unable to add more users to the Org without GoodData Support’s assistance (again - due to not having access to our OIDC settings, including the user auth IDs). With all that said, you have a couple of options: 1. Switch to your own OIDC (using the instructions on the article I shared above) and manage your users from there 2. Remain with our OIDC but re-enable the Invite button via the Setting I mentioned (it will need to be disabled again once you are ready to proceed with Step 1) 3. Remain with our OIDC without switching the Setting, and have us add the users for you - which is more of a temporary measure. Let me know which one you’d prefer, and if you have any further questions or comments!

Thank you for your complete answer @Francisco Antunes Our end users are connected to GoodData using JWT and JWK key that is provisioned by us. We maintain the auth artifacts, private, public keys. This allow our users to be authenticated whenever they load the Good data iframe. And this prevent them to directly login into the good data ui interface. This part is already fully implemented on our side and it's working well. As you see, we do not use our own OICD provider for our devs (for now), and all of them (including me) are connected using the good data auth0 provider. Could you let us use your Auth0 provider until we have implemented our own OICD provider ? We will have to pitch and provision some time to do so. Now, we need to add some devs that will be able to access the Good Data ui outside the context of a end user. That means we must be able to invite them. Let me know, thank you.

All right, so it looks like we’re talking about Option 2 above - so you can have the Invite button back. There’s a couple of limitations to that choice, though: • There will be a user limit of 100 users - with your use-case of only Dev users, I don’t think this should be a problem. • Once (if) you decide to switch to your OIDC, it will be necessary to reach out to us so we disable the Setting enforcing our OIDC. If you’re OK with both of those, I’ll be happy to request the Setting switch for you (it requires the input of another team, on our end - so it will likely take a little while). Let me know 🙂

Can you confirm that it will not block our end users to authenticate using the JWT token we generate for them ? Our devs are the only one that are connected to GoodData UI. Our end users are all connected via IFRAME and JWT. If yes, I confirm that we would like to use your auth0 provider as you suggested in the Option 2. Thank you

It should not affect the JWT authentication - all the setting does, really, is prevent you from changing the OIDC settings on the organization + enabling the Invite endpoints. I will, however, highlight this internally and confirm that it will not harm your use-case before we proceed. So I’ll go ahead and send this to the Technical Support Team for confirmation and switching the Managed_OIDC setting back on, OK? Please sit tight and we’ll come back with an update when we have one 🙂

Yes I confirm you can submit the support case. And thank you for your time. 🙏

Hello Alexandre, I have reenabled the invite functionality for your organization. The question is how many users you have. I have set the limit to 100, which is our enforced default when you are using our auth0 as the OIDC provider. But since (I assume) most of your users are utilizing the JWT tokens to access GoodData, it might not be sufficient.

Hello, thank you. We do not have more than 100 users, but it might be the case one day. if the 100 limit is just applied to the users using auth0 we are good.

We can only apply limit per org, so we cannot differentiate between auth0 and jwt users. But if you hit the limit in the future, you can let us know either here or through your customer success manager and we will be able to help you (or maybe the solution will change somehow until then).

Yes It should be ok, If we hit the 100 limit, we will implement our own OIDC for our devs.