Skip to content
This repository has been archived by the owner on Feb 18, 2023. It is now read-only.

Latest commit

 

History

History
92 lines (78 loc) · 3.88 KB

Notes.md

File metadata and controls

92 lines (78 loc) · 3.88 KB
Raw

Dev Notes

  1. How much should I copy the official OneLogin app?
    • Easier to migrate
    • Config files in JSON though??? Oh and YAML. Because.
  2. Integrate with KeyChain like aws-vault
  3. Shouldn't just spit out ENV vars and expect you to copy & paste.
    • Follow aws-vault example of executing programs (including a shell)
  4. Run an EC2-Metadata service like aws-vault?
    • Not sure why that helps? Maybe some kind of dev/test solution?
  5. Should use External Sourcing
    • Need to write the necessary info as a JSON blob which allows you to easily define OneLogin as the means of accessing an AWS_PROFILE without having to edit the ~/.aws/config file! Note that we would need to impliment some level of caching for this to work, but that seems reasonable :)
  6. Another golang program allcloud-io/clisso
  7. Another secret mgmt library for OSX/Linux: tmc/keyring

Security

  1. The OAuth2 AccessToken is good for 10hrs and should be cached to avoid rate limiting This is perfectly safe as long as the creds aren't exposed and someone uses them to DoS us due to the 5000/req/hr/account. (account, not user?)
  2. SAML Assertion requires OneLogin username/password
  3. SAML Assertion may require MFA
  4. The SAML assertion is only good for a service defined number of minutes? AWS SAML is for a few minutes.

Challenges

  1. The onelogin-go-sdk is neutered and doesn't support MFA :-/
  2. Need to see how --loop feature is supported? Login Session Tokens can't be used for long periods of time? Pretty sure this doesn't automate authentication! Looks like it merely automates running the tool again which is very different (requires you to manually re-auth)
  3. How are users supposed to know their device_id|device_id value for mfa?

Files

Probably should move to their own directory or something?

  • $HOME/.onelogin.cache -- SAML assertion & bearer token cache
  • $HOME/.onelogin.yaml -- config file

API Workflow

  1. ClientID/Secret ==> OneLogin Generate Token
    • Returns Token good for 10hrs
    • Should be cached
    • Can be done transparent to user
  2. Token, Username, Password, AppID ==> OneLogin SAML Assertion
    • Returns Assertion OR MFA Request
      • MFA request? Send MFA ==> OneLogin Verify Factor
      • Interactive required if MFA
    • AWS SAML Assertions are only good for a few minutes
    • Is good for 1 or more roles in 1 or more AWS Accounts
    • Password should be stored in KeyChain
  3. SAML Assertion, Role ==> AWS
    • Returns STS Token good for 15min to 12hrs (1hr default)
    • Can write to ~/.aws/config & ~/.aws/authentication or set shell ENV

How users should use:

  1. Select AppID or Role?
    • AppID's contain multiple roles across one or more AWS accounts which is confusing
  2. If user doesn't provide on CLI, prompt
  3. Need a config file which maps AppID => AWS Role(s)
    • AppID's should have an alias
    • Role ARN's should have an alias
  4. If AppID alias:
    • Get all the STS tokens for all the roles
    • Write to AWS config files
    • Don't choose a role
  5. If Role Alias:
    • Get STS token for that role
    • Execute command/load ENV for that roles

Commands

  • Revoke - Revoke current AuthToken which is automatically generated
    • No args- just config
  • Role - Get one AWS Role STS values and print it out
    • role alias
  • Exec - Get one AWS Role STS value and run command (like Role)
    • role alias
    • [command]
  • AppId - Get all AWS Role STS values (cache for Role/Exec)
    • appid alias
  • Aliases - Print all Role & AppId with aliases (should show when expires)
    • no args- just config