-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support automatic user creation with SAML authentication #3551
Support automatic user creation with SAML authentication #3551
Conversation
fd31d25
to
213d390
Compare
Thanks for this pr. I was a bit reluctant to automate user creation based on saml or oauth because that can have unintended effects. For example any user that's authenticated by saml may automatically get access to velociraptor. Typically the teams that manage velociraptor access are not the same as teams that manage user accounts and I can see accidents happening with users automatically created in velociraptor. I guess if it's very clearly documented and people understand the risk then it's fine but how likely is it to have this kind of mistake? |
With this change we are able to automatically create users for SAML authenticated users and assign them roles. Before this change, users had to be created manually on the velociraptor server, even when using SAML authentication, which lead to double book keeping. Based on the work in the certs authenticator module: - https://github.com/Velocidex/velociraptor/blob/858e2e4a1c597c9dfd1d0389f84ac2186eb3bae7/api/authenticators/certs.go#L168-L223 Instead of reusing the gui.authenticator.default_roles_for_unknown_users field we introduced a new saml_user_roles field to ensure privilege separation between gui users and client certificates. Co-Authored-By: Deniz Adrian <[email protected]>
213d390
to
f67dbc0
Compare
@scudette if the In a future iteration, we could think about adding a configuration setting to allow using other SAML attributes to map for example groups to policies. What do you think? |
This is what I was asking being not very familiar with SAML administration - does SAML allow the application to be assigned to a user or does it mean that anyone who is able to authenticate to SAML anywhere in the domain can also log into the velociraptor app (and therefore get automatically created?) With OAUTH this is actually the case - for example, if we use Google to implement OAuth then literally anyone who can authenticate to Google (e.g. random Gmail user) will be able to return from the oauth handler and pass into AuthenticateUserHandler() callback. They will normally be stopped in the user account check, but if the expectation is that an account will be automatically provisioned then anyone that creates a gmail account will get a login! |
from my (probably rather limited) experience with SAML identity providers, "filtering" users per application seems to be a very standard functionality included almost everywhere. At least AD-FS/Keycloak/AWS Identity Center all have logic to "map" users to an application based on group-memberships or other factors, therefore limiting permitted users to a subset of all users already. From my point of view, having any mapping/filtering logic inside the IDP vs. inside the SP is highly desirable to (a) keep it simple and (b) not have a lot of distributed filter mechanisms throughout your application landscape, but rather in a central place. EDIT: don't get me wrong, i totally believe having logic to map separate roles inside velociraptor to users based on SAML attributes makes a lot of sense in a more complex organizational structure where you need different users to have different roles inside your velociraptor setup, but I believe it would make sense to implement this in a separate PR. |
With this change we are able to automatically create users for SAML authenticated users and assign them roles. Before this change, users had to be created manually on the velociraptor server, even when using SAML authentication, which lead to double book keeping. Based on the work in the certs authenticator module: - https://github.com/Velocidex/velociraptor/blob/858e2e4a1c597c9dfd1d0389f84ac2186eb3bae7/api/authenticators/certs.go#L168-L223 Instead of reusing the gui.authenticator.default_roles_for_unknown_users field we introduced a new saml_user_roles field to ensure privilege separation between gui users and client certificates. Co-authored-by: Deniz Adrian <[email protected]>
With this change we are able to automatically create users for SAML authenticated users and assign them roles. Before this change, users had to be created manually on the velociraptor server, even when using SAML authentication, which lead to double book keeping. Based on the work in the certs authenticator module: - https://github.com/Velocidex/velociraptor/blob/858e2e4a1c597c9dfd1d0389f84ac2186eb3bae7/api/authenticators/certs.go#L168-L223 Instead of reusing the gui.authenticator.default_roles_for_unknown_users field we introduced a new saml_user_roles field to ensure privilege separation between gui users and client certificates. Co-authored-by: Deniz Adrian <[email protected]>
With this change we are able to automatically create users for SAML authenticated users and assign them roles.
Before this change, users had to be created manually on the velociraptor server, even when using SAML authentication, which lead to double book keeping.
Based on the work in the certs authenticator module:
velociraptor/api/authenticators/certs.go
Lines 168 to 223 in 858e2e4
Instead of reusing the gui.authenticator.default_roles_for_unknown_users field we introduced a new saml_user_roles field to ensure privilege separation between gui users and client certificates.