Is there a way to check if user still in the organization when role is assumed?

[shcheklein]

First of all, it's a great product, thanks, solves an actual issue for us of giving frictionless OIDC-like access in Codespaces.

I'm trying to wrap my mind around security implications though. Our setup is - we use org level repo to keep SAML.to config and specify user names in it who can assume the role.

One thing in particular that bothers me is that user names are codifies in YAML and stay there even if user is not part of the org. Is it a potential security risk? How should we go about this? Any recommendation / thoughts are appreciated.

[cnuss]

Hi @shcheklein and thanks for your message! I appreciate you trying out SAML.to!!

That's correct there is a security implication that if a user is off boarded from a GitHub organization, but the saml-to.yml is not updated, they could retain access to roles. Updating saml-to.yml would need to be part of the off-boarding process your organization has in place.

Also, as good measure, we also recommend securing the saml-to repository and/or access to saml-to.yml:

• Protect the main branch and require Pull requests
• Add Codeowners to the repository on the saml-to.yml file.
• Ensure only Individuals which are permitted to onboard/offboard users have Write/Maintain privileges on the repository.

[cnuss]

See also this response as we have some features in the works to address this issue and your feedback would be appreciated!

[cnuss]

@shcheklein We have a few features in the works surrounding this, I'd love to know what you're most interested in:

• GitHub Teams Support: Instead of listing individual users for a role, we're working on a feature where saml-to.yml would reference a GitHub Team Name, and off-boarding them from GitHub or Removing them from a Team would subsequently remove their access to referenced roles
• A config flag: Introduce a setting in saml-to.yml named something named like requireOrgMembership that would ensure the user is a member of the Organization for which they are assuming a role
• Notification/Webhooks: Email Notification and/or Webhooks if a non-organization GitHub user assumes a role

Let me know if any of these sound interesting to you? (perhaps rank them too) If there's other ideas you have for this let me know as well.

[shcheklein]

Hey, thanks for the response. It makes sense, I've made the repo secure (but I'll tighten it even more soon). I think I can write a simple CI action also to check membership from time to time (I'll share it here If I do that).

Regarding the options: the first one is the best I think (file will be the cleanest if that makes sense). Then second is fine also. Notifications - it's not an option (I would still introduce CI in this case), but a good additional safeguard.

[cnuss]

@shcheklein awesome! i will email you details on how to use our GitHub Teams feature.