-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User/Group Management Without SCIM #42
Comments
Hi @allquixotic , Many thanks for bringing these 2 issues to our attention. And, a special thanks for the very thorough rationale setting and the solution approach you've described here. This helps our team with exactly understanding the background for the ask. After reading through both the problem statements, here's my first impressions. I/team will update here with other feedback as we discuss this internally next week. Could I ask you to break down both the problems into 2 issues please? Given the scope of these issues, it would be more helpful to tackle them as individual issues. With this assumption, I am providing the updates here for the first problem statement. Also, to answer your last question - no, we did not think of these pain points until now , thank you for bringing this to our attention. Yes, we always welcome collaboration from the community and accept PR's. Problem Statement 1: User/Group management without SCIM
What are your first thoughts on this? Thanks, |
Separated out the second problem to #46. |
My comments are inline. Thank you for your hard work on this.
Agreed. Providing S3 and API driven management of the users will make it a most flexible solution, just like the current design patterns for permission sets and links.
This is excellent. The only thing I would add: to avoid weird conflicts, if the user enables a pre-packaged connector, the setting for using S3 or API driven for user and group management should probably be ignored. When a connector is enabled, to avoid weird conflicts and unexpected behavior, the SCIM middleware should always be set up for API access. A user could, at their option, both use a connector and custom API calls to the SCIM middleware, but I'm not sure if that would have any weird corner cases that make it hard to manage on the SCIM middleware backend. I have a hard time rationalizing in my head how the S3 approach would work in conjunction with a connector. Maybe if you can see how to resolve that design ambiguity, you could allow S3 to be used at the same time as a connector. For my organization's purposes, we would just use the Managed AD connector, and we would not add our own code to call the SCIM middleware API, nor would we need additional user management in S3. We would treat our Managed AD as the single source of truth for SSO user and group management.
This is good so far..
Or
Ah, this solves some of my earlier concerns.
Excellent. To follow existing design patterns, we'd want to introduce another option flag for preserving existing users who were manually created in AWS SSO but may not exist in the Update 01/29/2022 23:41 UTC The desired behavior for this flag would be:
I do not think it makes sense to update (write to)
|
One implementation concern I have... This may not actually require modifications to this design spec... Our OrgMain account does not currently have network level access to our Managed AD. The Managed AD sits in a member account on a private VPC. Currently we have our entire SSO Extensions solution sitting in OrgMain in the same region. I think if you put the SCIM middleware and the identity source connector into the |
Hi @allquixotic , Regarding the account structure, while moving to the recommended multi account model is a good idea and should be done, this won't be a blocker however. I am planning to treat the account hosting Managed AD as a separate account and communicate through cross account/region SNS topics. This is the same design pattern implemented currently between OrgMain, SSO and target accounts. Regarding the logical design and flow details, I am working with the rest of the team on a structure and will update here shortly. Also, to set the correct timeline expectations, we are currently working on another feature we've prioritised for 2 of our customers that would enable them to do a region switch with their AWS SSO. This is a stand-alone component of the solution that a customer could use to automate moving their permission sets and account assignments over to the new region. In terms of our current development, we are aiming to get this out in 3.1.0 in the next 2 weeks, and will focus on this enhancement as the next priority. Hope these timelines work for you. Thanks, |
The other feature request I logged recently is actually more urgent than this one. The good news about this issue is that I've already written code that solves the immediate need for my organization, and can continue to customize it to suit my needs. It isn't as elegant as a baked-in solution with SSO Extensions, but it's better than nothing. |
@fotinosk will update the solution design docs with the pattern he's building for SCIM support and link the docs here for reference. |
Leela & AWS Team,
While attempting to roll out AWS SSO, my organization is encountering a number of AWS SSO challenges that exist outside the current feature-set boundary of SSO Extensions for Enterprise.
The original Problem 2 from this issue has been moved to #46
This issue is about User/Group Management Without SCIM.
Assumptions:
Note: Not all of these assumptions must be true for a potential solution to have value.
Problem:
Ad-Hoc Automation Solution:
memberOf
(the multi-valued list of every group the user is a member of) and stores the user data in an in-memory data structure.GET
andPOST
to/scim/v2/Users
,/scim/v2/Groups
- sometimes with filters. Code is fairly formulaic and intuitive if one understands the AWS SSO SCIM limitations as documented.Possible Variations:
What Could SSO Extensions Do:
Are these possible future directions for SSO Extensions? (Would you accept pull requests if I ever figure out the internals of SSO-Ex enough to directly implement this using SSO-Ex's existing infrastructure? Would you consider / are you already working on this yourself?)
Thanks for reading...
The text was updated successfully, but these errors were encountered: