We’re in the process of migrating from LDAP to Okta for authentication, so I’m revisiting how our policies are attached to users.
To test I’ve setup identity groups externally aliased to groups in LDAP and Okta (“foo” in LDAP, maps to “ldap-foo” - for okta, “okta-foo”).
I’ve then attached the “can-do-foo” policy to both the “ldap-foo” and “okta-foo” groups and removed the direct mapping in ldap and okta.
Now however, when I create a token and specify only the “can-do-bar” policy, I still get the “can-do-foo” policy attached.
I appreciate that I still have the same identity (just as I still have the same LDAP identity), but if I’m asking for a token with only certain policies, I definitely don’t want extra ones added.
We currently create identity tokens (tokens that identify someone, but have no policies attached) as a way to authenticate to some systems.
Is there a way to say -no-identity-policies - or should we avoid identities for now?