-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
automate-dex: make local user signin disappear via config #4386
Conversation
Deploy preview for chef-automate ready! Built with commit e9a7be4 |
This would be a noop if there always were local users -- regardless of configuring LDAP or SAML, you'd always have more than one method. If we want to allow disabling local users, we'll have to enable this, because if you had ONLY SAML, you couldn't sign out -- you'd immediately be sent back to your SAML IdP; and if your session was still valid, you'd even go straight back to being signed into A2. To not have users click "sign in with X" if they only have LDAP, or only local users, enabled, but have them go straight to the username/password field, we set alwaysShowLoginScreen to true only if SAML is in the mix. If you have LDAP+SAML, or local+SAML, you'll see the selection anyways. Signed-off-by: Stephan Renatus <srenatus@chef.io>
Signed-off-by: Stephan Renatus <srenatus@chef.io>
Signed-off-by: Stephan Renatus <srenatus@chef.io>
…ctor set up Signed-off-by: Stephan Renatus <srenatus@chef.io>
f6f75fa
to
e9a7be4
Compare
skipApprovalScreen: true | ||
{{- if cfg.connectors.saml}} | ||
alwaysShowLoginScreen: true | ||
{{- end}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not clear on what is the approval screen vs the login screen, or the whole process flow here for that matter. 🤷 You state:
To not have users click "sign in with X" if they only have LDAP, or only local
users, enabled, but have them go straight to the username/password field, we
set alwaysShowLoginScreen to true only if SAML is in the mix.
Am I correct, for instance, that SAML is different than local or LDAP, in that we do not ask for the credentials, rather the SAML IdP does. So if we remove the "Sign in with SAML" (that, I guess, is on the login screen?) that is why one could never log out, yes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am I correct, for instance, that SAML is different than local or LDAP, in that we do not ask for the credentials, rather the SAML IdP does.
Yes, the "SAML sign in page" is a redirect to the IdP, no username/password prompt.
So if we remove the "Sign in with SAML" (that, I guess, is on the login screen?) that is why one could never log out, yes?
Signing out of A2 will get you back to dex. If dex decided that, since there's only one sign in method, that must be the one you want to use, it sends you to that method's sign in page. For SAML, that's a redirect to your IdP. If you still have an active session with the IdP (that's something we don't control), you'll be signed in automatically, and redirect to A2. So, from a user's perspective, there's no way to sign out. Clicking on "Sign out" gets you signed in again. (I'm just rephrasing, I think your understanding is correct.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
This would be a noop if there always were local users -- regardless of
configuring LDAP or SAML, you'd always have more than one method.
If we want to allow disabling local users, we'll have to enable this, because
if you had ONLY SAML, you couldn't sign out -- you'd immediately be sent back
to your SAML IdP; and if your session was still valid, you'd even go straight
back to being signed into A2.
To not have users click "sign in with X" if they only have LDAP, or only local
users, enabled, but have them go straight to the username/password field, we
set alwaysShowLoginScreen to true only if SAML is in the mix.
If you have LDAP+SAML, or local+SAML, you'll see the selection anyways.
ℹ️ I've added the extra commits to
👟 How to Build and Test the Change
rebuild components/automate-dex
, sign in and sign out with different SAML/non-SAML combinationsℹ️ To play with disabling the local users, use this config snippet,
and rebuild
automate-dex
,automate-cli
andautomate-deployment
. Then try to sign in, and remove the SAML config to see that you can't do that. With this config applied, the the SAML config not removed, you should see this: