PAM WebSSO Entitlements Details #1419

HarryKodden · 2024-05-15T13:18:38Z

At this moment the PAM WebSSO successful authentication gives following details:

 {
    "groups": [
        {
            "name": "SURF Research Cloud Live CO",
            "short_name": "live"
        }
    ],
    "info": "User [email protected] has authenticated successfully",
    "result": "SUCCESS",
    "username": "..."
}

We are planning to make use of 1 generic SRAM Service that will be connected to all ResearchCloud VM's that facilitate PAM WebSSO logins. That would allow users to access All these VM's if they are member of just 1 CO for which ResearchCloud has created a VM.
The alternative would be to create sidecar services for each individual CO.

I would suggest to keep it simple and have just 1 generic WebSSO Service that is connected to all CO's.
Then we need to apply additional checks that the authenticated user is indeed member of the CO for which the VM is created.

Therefor we can make use of the group membership delivered in the JSON response.
In order to make a non ambiguous ACL it is proposed to add the SRAM persistent ID to the group membership details, like this:

 {
    "groups": [
        {
            "name": "SURF Research Cloud Live CO",
            "short_name": "live",
            "id": "bccd3caa-b421-4f7a-aeb8-cb12704beb71",
        }
    ],
    "info": "User [email protected] has authenticated successfully",
    "result": "SUCCESS",
    "username": "..."
}

The ACL in the VM then could list the (list of) ID's that a authenticated user must be member of, to allow access

The text was updated successfully, but these errors were encountered:

…eblogin-Verify-Response #1419 add entitlements to pam weblogin verify response

oharsta · 2024-05-17T08:22:45Z

Wrongfully closed issue

mrvanes · 2024-05-31T08:14:43Z

OK

sram-project-automation bot added this to SRAM development May 15, 2024

github-project-automation bot moved this to New in SRAM development May 15, 2024

oharsta added a commit that referenced this issue May 16, 2024

Merge pull request #1421 from SURFscz/#1419-Add-entitlements-to-PAM-W…

5124b49

…eblogin-Verify-Response #1419 add entitlements to pam weblogin verify response

oharsta closed this as completed May 17, 2024

sram-project-automation bot moved this from New to To be tested in SRAM development May 17, 2024

oharsta reopened this May 17, 2024

github-project-automation bot moved this from To be tested to New in SRAM development May 17, 2024

FlorisFokkinga assigned HarryKodden May 17, 2024

FlorisFokkinga moved this from New to In progress in SRAM development May 17, 2024

baszoetekouw linked a pull request May 17, 2024 that will close this issue

add entitlements to pam weblogin verify response #1421

Merged

FlorisFokkinga moved this from In progress to To be tested in SRAM development May 17, 2024

baszoetekouw added this to the v34 milestone May 31, 2024

mrvanes moved this from To be tested to To be deployed in SRAM development May 31, 2024

baszoetekouw closed this as completed Jun 10, 2024

sram-project-automation bot moved this from To be deployed to To be tested in SRAM development Jun 10, 2024

baszoetekouw moved this from To be tested to To be deployed in SRAM development Jun 10, 2024

sram-deploy-tools-automation bot unassigned HarryKodden Aug 6, 2024

sram-deploy-tools-automation bot moved this from To be deployed to Done in SRAM development Aug 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PAM WebSSO Entitlements Details #1419

PAM WebSSO Entitlements Details #1419

HarryKodden commented May 15, 2024

oharsta commented May 17, 2024 •

edited

Loading

mrvanes commented May 31, 2024

PAM WebSSO Entitlements Details #1419

PAM WebSSO Entitlements Details #1419

Comments

HarryKodden commented May 15, 2024

oharsta commented May 17, 2024 • edited Loading

mrvanes commented May 31, 2024

oharsta commented May 17, 2024 •

edited

Loading