Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-189

Custom SSO authorization generators

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Neutral Neutral
    • 3.1.0, saas
    • 3.0.0
    • None
    • None
    • Yes
    • AdminX 30
    • 8

      Goal

      SSO 3.0.0 lacks a feature/interface to define a class to resolve groups.

      Example: for Azure, we receive group IDs instead of group names. We need to resolve these group IDs to names, but that currently is not possible -  We would need group resolution there to resolve a group name with group ID from Azure. 

      Thoughts for discovery

      • One possible option is to include Custom authorization generator leveraging SPI (Service provider interface) - this needs further discovery.
      • Another option might be providing out-of-the-box generators which might be configurable, so that less custom code to resolve groups is needed
        • Azure offers 3 ways on implementing mapping group IDs to group names, it might be possible to check if there are common patterns which might be implemented

      Notes

      Discovery output

      • As discussed with mgeljic, we agreed to go with the Custom authorization generator leveraging SPI (Service provider interface). This approach will open the possibility for customization.
      • With that, we have to introduce a Service provider interface to allow customers implement their own authorization generator in a custom module (jar file)
      • Specify a new predefined key, for example "customAuthorization" in the "oidc.authorizationGenerators" config property, then it will lookup for the custom authorization generator from the SPI, something like this in the yaml configuration:
      clients:
  oidc.id: ...
  oidc.secret: ...
  oidc.scope: ...
  oidc.discoveryUri: http://localhost:8180/realms/mgnl/.well-known/openid-configuration
  oidc.preferredJwsAlgorithm: RS256
  oidc.authorizationGenerators: customAuthorization

      Notes: Re: the second option "providing out-of-the-box generators which might be configurable", this may not cover all cases from the customers requirement, especially Azure AD provided different ways to configure the groups/authorization. So, we can't know which is the most common configuration pattern to create the OOTB generators for the IDPs (Azure, Okta, Keycloak)

        Acceptance criteria

          1. AzureAdRolesGroupsAuthorizationGenerator.java
            11 kB
            Lars Fischer
          There are no Sub-Tasks for this issue.

              nguyen.phung Nguyen Phung Chi
              mrajkovic Matt Rajkovic
              AdminX
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved:
                Work Started:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 5d 7.5h
                  5d 7.5h