Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-189

Custom SSO authorization generators

    XMLWordPrintable

Details

    • New Feature
    • Resolution: Fixed
    • Neutral
    • 3.1.0, saas
    • 3.0.0
    • None
    • None
    • Yes
    • AdminX 30
    • 8

    Description

      Goal

      SSO 3.0.0 lacks a feature/interface to define a class to resolve groups.

      Example: for Azure, we receive group IDs instead of group names. We need to resolve these group IDs to names, but that currently is not possible -  We would need group resolution there to resolve a group name with group ID from Azure. 

      Thoughts for discovery

      • One possible option is to include Custom authorization generator leveraging SPI (Service provider interface) - this needs further discovery.
      • Another option might be providing out-of-the-box generators which might be configurable, so that less custom code to resolve groups is needed
        • Azure offers 3 ways on implementing mapping group IDs to group names, it might be possible to check if there are common patterns which might be implemented

      Notes

      Discovery output

      • As discussed with mgeljic, we agreed to go with the Custom authorization generator leveraging SPI (Service provider interface). This approach will open the possibility for customization.
      • With that, we have to introduce a Service provider interface to allow customers implement their own authorization generator in a custom module (jar file)
      • Specify a new predefined key, for example "customAuthorization" in the "oidc.authorizationGenerators" config property, then it will lookup for the custom authorization generator from the SPI, something like this in the yaml configuration:
      clients:
        oidc.id: ...
        oidc.secret: ...
        oidc.scope: ...
        oidc.discoveryUri: http://localhost:8180/realms/mgnl/.well-known/openid-configuration
        oidc.preferredJwsAlgorithm: RS256
        oidc.authorizationGenerators: customAuthorization

      Notes: Re: the second option "providing out-of-the-box generators which might be configurable", this may not cover all cases from the customers requirement, especially Azure AD provided different ways to configure the groups/authorization. So, we can't know which is the most common configuration pattern to create the OOTB generators for the IDPs (Azure, Okta, Keycloak)

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            There are no Sub-Tasks for this issue.

            Activity

              People

                nguyen.phung Nguyen Phung Chi
                mrajkovic Matt Rajkovic
                AdminX
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Work Started:

                  Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 5d 7.5h
                    5d 7.5h