New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option to automatically redirect to external IDP (SAML/OIDC) #615
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/145617739 The labels on this github issue will be updated when the story is started. |
@MatthiasWinzeler This is a valid ask and other customers have run into it. We will fix this in an upcoming version |
I think this a great fit now that work has started on #532 Will this be scheduled for 4.4 as well? |
+1 |
We are also facing the same issue. |
Any update on this? |
There has been a 'idp discovery' feature pushed onto develop that address this issue. See https://www.pivotaltracker.com/story/show/155403107 There is currently an edge case bug. The idea is for this to be available ideally next release. |
@DennisDenuto Great to hear! To achieve my desired behavior in the initial issue report (i.e. default redirect to external IDP but local users still possible), will I need to set the |
For the 99% case you just need to set the As you say your internal users don't use the UI flow: When you want to login via the CLI (or retrieve a token directly via password grant) and your default idp does not support password grant (which is the case for you, as you write you are using SAML) nothing changes - if the default IdP does not support password grant we fallback to using internal/ldap idp. Note that the default identity provider configuration is not contained in any release yet, but will probably be included in the next release. |
@tack-sap Sounds like it solves our issue in a very elegant way. Many thanks for respecting this use case! Will close this issue once it's released and tested. |
@tack-sap So I tried out setting
If I understood you correctly, the CLI should fall back to internal/ldap IDP since our SAML IDP does not support password grant. Is this fallback maybe broken? |
Hi Mathias, Thanks for reporting the issue! |
@tack-sap Thank you very much for taking care of this edge case! |
@tack-sap do you have any ETA on this? desperately waiting on it :) |
Hi, The story with the bugfix is accepted since October 1st and it is available the latest versions of UAA. So you should be able to use the whole setup by now ;) |
@tack-sap works flawlessly, thank you! |
In most of our UAAs, we have two different user origins:
We now face the problem that when the federated users log in (which is 99% of the cases), they see the UAA's login form and need to click on the saml/oidc login link. This is not a nice user experience. We like to skip this step and redirect the users directly to the single configured external IDP since this is the path 99% of the time (also since the technical users almost never need to login using the browser and never use this login form).
We're aware that if we disable the internal user management this automatic redirect happens.
But this is not desired since we still want to use the internal database for the technical users.
We implemented an ugly workaround on the LB that sits in front of the UAA - it just redirects every attempt to
/login
to the respective SAML login link. This gets even worse since this SAML login link contains the entity id which can differ for each UAA (so we need to adapt the rule for each UAA).So we would like to introduce a option to make this possible: either with something like
defaultOnWebLogin: true
that can be set on saml/oidc provider level or a globalredirectToExternalIdp: true
(that only redirects automatically if there is only one external idp configured). Or maybe extend the IDP discovery page that it automatically redirects if there's only one external IDP?It might sound like an edge case; but it's probably how a lot of enterprise customers have configured their UAAs.
Would you welcome a PR that adds this option?
The text was updated successfully, but these errors were encountered: