Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQUEST] SSO / Federated User/Role support #441

Open
collado-mike opened this issue Nov 8, 2024 · 0 comments
Open

[FEATURE REQUEST] SSO / Federated User/Role support #441

collado-mike opened this issue Nov 8, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@collado-mike
Copy link
Contributor

collado-mike commented Nov 8, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

User management is complicated and can scale to thousands or tens of thousands of users for large enterprises. Group membership is frequently dynamic and privileges tied to group membership needs to be able to reflect group membership changes immediately.

Large enterprises typically use identity provider services, such as Okta, LDAP, or Google, to manage users and roles. These central IdPs are typically relied upon to communicate user authentication and group membership so that an administrator needs to make changes in a single central location and know that all peripheral applications will see those changes immediately.

Describe the solution you'd like

SSO and support for Federated Users and Federated Roles would allow defining users and roles as "federated" so that token generation and role membership is disallowed through the Polaris management APIs. I see the following changes being implemented:

  1. Support for multiple Authenticators to be configured - an admin could potentially have multiple IdPs that should be trusted to generate auth tokens. These tokens need to be inspected and validated in Polaris, potentially by making an API call to the IdP or by validating an encryption signature in a JWT.
  2. Extending the authentication flow to support just-in-time Principal creation - when a TokenBroker parses a token and returns a user that doesn't have a principal entity, one should be created from the token info. The Principal should be marked as federated in its internal_properties. A federated Principal does not have any clientId/secret stored and cannot generate a token in the /tokens API.
  3. Extending the authentication flow to support just-in-time PrincipalRole creation and assignment - when a TokenBroker parses a token, the scopes defined in the token should translate into PrincipalRole membership. These roles may not exist in Polaris, so should be created. The AuthenticatedPrincipal will implicitly have membership in these PrincipalRoles. The PrincipalRole should be marked as federated in its internal_properties. A federated PrincipalRole cannot be granted to non-federated Principals.
  4. federated Principals also cannot be granted membership to a non-federated PrincipalRoles - the tokens generated by the IdP will never include a non-federated PrincipalRole, so granting membership doesn't make sense.
  5. Both federated Principals and PrincipalRoles must have a federation_source - a federated Principal should only be granted access to PrincipalRoles that are defined for the same federation_source. A naming convention, such as a source prefix, should be considered to avoid name clashing of Principals and PrincipalRoles. It would be necessary to map scopes and usernames present in the token to the expected name of the created Principal/PrincipalRole.

Describe alternatives you've considered

No response

Additional context

No response
@collado-mike collado-mike added the enhancement New feature or request label Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@collado-mike