Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-189

Custom SSO authorization generators

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Fixed
    • Neutral
    • 3.1.0, saas
    • 3.0.0
    • None
    • None
    • Yes
    • AdminX 30
    • 8

    Description

      Goal

      SSO 3.0.0 lacks a feature/interface to define a class to resolve groups.

      Example: for Azure, we receive group IDs instead of group names. We need to resolve these group IDs to names, but that currently is not possible -  We would need group resolution there to resolve a group name with group ID from Azure. 

      Thoughts for discovery

      • One possible option is to include Custom authorization generator leveraging SPI (Service provider interface) - this needs further discovery.
      • Another option might be providing out-of-the-box generators which might be configurable, so that less custom code to resolve groups is needed
        • Azure offers 3 ways on implementing mapping group IDs to group names, it might be possible to check if there are common patterns which might be implemented

      Notes

      Discovery output

      • As discussed with mgeljic, we agreed to go with the Custom authorization generator leveraging SPI (Service provider interface). This approach will open the possibility for customization.
      • With that, we have to introduce a Service provider interface to allow customers implement their own authorization generator in a custom module (jar file)
      • Specify a new predefined key, for example "customAuthorization" in the "oidc.authorizationGenerators" config property, then it will lookup for the custom authorization generator from the SPI, something like this in the yaml configuration:
      clients:
        oidc.id: ...
        oidc.secret: ...
        oidc.scope: ...
        oidc.discoveryUri: http://localhost:8180/realms/mgnl/.well-known/openid-configuration
        oidc.preferredJwsAlgorithm: RS256
        oidc.authorizationGenerators: customAuthorization

      Notes: Re: the second option "providing out-of-the-box generators which might be configurable", this may not cover all cases from the customers requirement, especially Azure AD provided different ways to configure the groups/authorization. So, we can't know which is the most common configuration pattern to create the OOTB generators for the IDPs (Azure, Okta, Keycloak)

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                nguyen.phung Nguyen Phung Chi
                mrajkovic Matt Rajkovic
                AdminX
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Work Started:

                  Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 5d 7.5h
                    5d 7.5h