automate-dex: make local user signin disappear via config #4386
Conversation
srenatus
added
auth-team
|
Deploy preview for chef-automate ready! Built with commit e9a7be4 |
This would be a noop if there always were local users -- regardless of configuring LDAP or SAML, you'd always have more than one method. If we want to allow disabling local users, we'll have to enable this, because if you had ONLY SAML, you couldn't sign out -- you'd immediately be sent back to your SAML IdP; and if your session was still valid, you'd even go straight back to being signed into A2. To not have users click "sign in with X" if they only have LDAP, or only local users, enabled, but have them go straight to the username/password field, we set alwaysShowLoginScreen to true only if SAML is in the mix. If you have LDAP+SAML, or local+SAML, you'll see the selection anyways. Signed-off-by: Stephan Renatus <srenatus@chef.io>
Signed-off-by: Stephan Renatus <srenatus@chef.io>
Signed-off-by: Stephan Renatus <srenatus@chef.io>
…ctor set up Signed-off-by: Stephan Renatus <srenatus@chef.io>
srenatus
force-pushed
the
sr/remove-local-users-step-0
branch
from
f6f75fa
to
e9a7be4
Compare
srenatus
changed the title
| skipApprovalScreen: true | ||
| {{- if cfg.connectors.saml}} | ||
| alwaysShowLoginScreen: true | ||
| {{- end}} |
There was a problem hiding this comment.
I am not clear on what is the approval screen vs the login screen, or the whole process flow here for that matter. 🤷 You state:
To not have users click "sign in with X" if they only have LDAP, or only local
users, enabled, but have them go straight to the username/password field, we
set alwaysShowLoginScreen to true only if SAML is in the mix.
Am I correct, for instance, that SAML is different than local or LDAP, in that we do not ask for the credentials, rather the SAML IdP does. So if we remove the "Sign in with SAML" (that, I guess, is on the login screen?) that is why one could never log out, yes?
There was a problem hiding this comment.
Am I correct, for instance, that SAML is different than local or LDAP, in that we do not ask for the credentials, rather the SAML IdP does.
Yes, the "SAML sign in page" is a redirect to the IdP, no username/password prompt.
So if we remove the "Sign in with SAML" (that, I guess, is on the login screen?) that is why one could never log out, yes?
Signing out of A2 will get you back to dex. If dex decided that, since there's only one sign in method, that must be the one you want to use, it sends you to that method's sign in page. For SAML, that's a redirect to your IdP. If you still have an active session with the IdP (that's something we don't control), you'll be signed in automatically, and redirect to A2. So, from a user's perspective, there's no way to sign out. Clicking on "Sign out" gets you signed in again. (I'm just rephrasing, I think your understanding is correct.)
There was a problem hiding this comment.
The approval screen is this:
We have never enabled that, since it doesn't make sense in our setup.
This would be a noop if there always were local users -- regardless of
configuring LDAP or SAML, you'd always have more than one method.
If we want to allow disabling local users, we'll have to enable this, because
if you had ONLY SAML, you couldn't sign out -- you'd immediately be sent back
to your SAML IdP; and if your session was still valid, you'd even go straight
back to being signed into A2.
To not have users click "sign in with X" if they only have LDAP, or only local
users, enabled, but have them go straight to the username/password field, we
set alwaysShowLoginScreen to true only if SAML is in the mix.
If you have LDAP+SAML, or local+SAML, you'll see the selection anyways.
ℹ️ I've added the extra commits to
👟 How to Build and Test the Change
rebuild components/automate-dex, sign in and sign out with different SAML/non-SAML combinationsℹ️ To play with disabling the local users, use this config snippet,
and rebuild
automate-dex,automate-cliandautomate-deployment. Then try to sign in, and remove the SAML config to see that you can't do that. With this config applied, the the SAML config not removed, you should see this: