What are you trying to do?
I want to use tsidp as my IDP provider for several services running out of my homelab.
I have several services (like proxmox) where I can simply control user-access via ACL policies (i.E., non group:admin users wont be able to access proxmox in the first place).
However, I also use HomeAssistant with the OIDC plugin and want to authenticate users via tsidp. In HomeAssistant, I want certain users logging in to have the admin role and other users with a user role.
This would require tsidp sending a groups claim.
How should we solve this?
I think the most elegant solution to this would be using the grants syntax:
{
"grants": [
{
"src": ["group:admins"],
"dst": ["*"],
"ip": ["*"],
"app": {
"tailscale.com/cap/tsidp": [
{
"groups": ["admin"]
}
]
}
},
{
"src": ["autogroup:member"],
"dst": ["*"],
"ip": ["*"],
"app": {
"tailscale.com/cap/tsidp": [
{
"groups": ["reader"]
}
]
}
}
]
}What is the impact of not solving this?
I currently use local accounts who's user-names match the tailscale username. The local accounts have the correct permissions assigned. However, if I want to eliminate locally maintained accounts I couldn't currently do this
Anything else?
This relates to my last comment in #10263.
What are you trying to do?
I want to use tsidp as my IDP provider for several services running out of my homelab.
I have several services (like proxmox) where I can simply control user-access via ACL policies (i.E., non
group:adminusers wont be able to access proxmox in the first place).However, I also use HomeAssistant with the OIDC plugin and want to authenticate users via tsidp. In HomeAssistant, I want certain users logging in to have the admin role and other users with a user role.
This would require tsidp sending a groups claim.
How should we solve this?
I think the most elegant solution to this would be using the grants syntax:
{ "grants": [ { "src": ["group:admins"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["admin"] } ] } }, { "src": ["autogroup:member"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["reader"] } ] } } ] }What is the impact of not solving this?
I currently use local accounts who's user-names match the tailscale username. The local accounts have the correct permissions assigned. However, if I want to eliminate locally maintained accounts I couldn't currently do this
Anything else?
This relates to my last comment in #10263.