Self service journey of Identy provider Group Mapping for stackspot IAM
Opened this issue · 0 comments
Description
Given an account with SSO integrated, it's essential to be able to map groups of user's external to provider to the platform groups. This feature covers how this can be achieved and capabilities which will be provided to customer to be able to configure them.
Concepts
- Association: Associating a user with a given group retrieved by its external authentication provider
- External Group: Groups inherited from external authentication provider
- Group: Stackspot/IAM group
- Named Capture Group: A REGEX capture group with a name binded to it
Usecase Flow
Association
- Setup SSO
- A user authenticates using SSO
- Their external groups are associated to their Stackspot user
- User is able to access the resources granted by Stackspot groups their got associated with
Disassociation
- Setup SSO
- A user authenticates using SSO
- Their external groups are associated to their Stackspot user
- User is able to access the resources granted by Stackspot groups their got associated with
- User loses some external groups in SSO provider
- When user reauthenticates in platform the respective groups removed in the SSO provider gets removed as well in platform
Proposed Solution
Creation of a group mapper REGEX where a rule is set and the captured external group is the group name to associate the user with. If user is not in the group then they are inserted into it.
To perform disassociation, the same REGEX is applied to user's current groups and if any filtered group is not in the external groups it gets removed.
Mapper configuration
-
Raw
-
Raw REGEX query is performed in a given group table column.
-
Capture group example:
(?<name>\d{4}) -
Possible names for capture group:
namequery will be performed using table column callednameslugquery will be performed using table column calledslug
-
Example usage:
(?<name>^.*$)will map the exact external group name to group, so if there is a external group in users authentication namedFW4-FW4-P_AI_STACKSPOT_ADMIN_V2the user will be added to groupFW4-FW4-P_AI_STACKSPOT_ADMIN_V2in the platform as well. The follwing query will be executed:SELECT * from groups where name = 'FW4-FW4-P_AI_STACKSPOT_ADMIN_V2'
-
-
Default
-
Pre computed configuration where the REGEX get parsed and pre-determined operations are already setup
-
All rules are exclusive (only one applies at time)
-
Capture group example:
(?<name>\d{4}) -
Capture Group Prefixes (column that query will be performed)
name: Find by group nameslug: Find by group slug
-
Capture Group Suffixes:
_endswith: retrieves all groups that ends with captured value_startswith: retrieves all groups that starts with captured value_contains: retrieves all groups that contains captured value_match: retrieve all groups that matches captured value
-
Simple Example usage:
(?<name_startswith>\ABC_)->SELECT from groups where name like 'ABC_%'(all groups that name starts withABC_)(?<name_endswith>\_CDE)SELECT from groups where name like '%_CDE'(all groups that name ends with_CDE)(?<name_contains>\ABC)->SELECT from groups where name like '%ABC%'(all groups that name contains withABC)(?<name_match>\ABC)->SELECT from groups where name = 'ABC'(all groups that name equalsABC)
-
Dynamic matching usage:
-
^FW4-FW4-P_(?<name_match>.*)$-> Will capture any remaining text that comes afterFW4-FW4-P_and perform a match search in group table using column name. Example:- If this external group is present in users authentication
FW4-FW4-P_AI_STACKSPOT_ADMIN_V2their will be added to groupAI_STACKSPOT_ADMIN_V2by the execution of the following query:SELECT * from groups where name = 'AI_STACKSPOT_ADMIN_V2' - All suffixes modes are available to be used as well
- If this external group is present in users authentication
-