Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: Engelsystem as an SSO provider #882

Open
MyIgel opened this issue Feb 26, 2022 · 2 comments · May be fixed by #893
Open

RFC: Engelsystem as an SSO provider #882

MyIgel opened this issue Feb 26, 2022 · 2 comments · May be fixed by #893
Labels
Type: Feature An idea for a new feature

Comments

@MyIgel
Copy link
Member

MyIgel commented Feb 26, 2022
edited

In the CCCV infra meeting the idea came up to use the Engelsystem as a SSO backend for event specific Grafana / Prometheus / Alertmanager / whatever to not have to add users to the CCCV SSO dueing an event / share basic auth credentials.
Useful would be the limitation to allow only some angeltypes to use the external pages / the SSO.
@margau
Copy link

margau commented Feb 26, 2022

Some additions:

  • Of course only accepted angles of an angle-type shall be allowed in an role
  • Its possible that an situation with two different SSO source of truths is created, which is not really helpful
  • Not a great solution: SSO Chaining:
    CCCV SSO puts angles into a group ($Crew Core). $Crew Core and $Crew Guest Engel are allowed to use a certain service trough engelsystem SSO, implicitly creating a combination of CCCV SSO and Angle Type right association

@MyIgel MyIgel changed the title RFC: Engelsystem als SSO Provider RFC: Engelsystem as an SSO provider Feb 26, 2022
@MyIgel MyIgel added the Type: Feature An idea for a new feature label Feb 26, 2022
@ThoreKr
Copy link

ThoreKr commented Feb 26, 2022

For the subtitles kanboard we voiced interest in the past to obtain the angel-roles as a claim via platform SSO.

This would go in a similar direction, but instead using the engelsystem as IdP.

This would allow a few interesting additions:

  • Smaller events without the hub could have some kind of authentication
  • independece from hub sso
    • infra monitoring doesn't end up in a circular dependency
    • platform sso is unfortunately scarcely used and usually unavailable on day 1.

Useful would be the limitation to allow only some angeltypes to use the external pages / the SSO.

When going the OAuth/OIDC route this should be verified in the application (Grafana is in the wrong here by not implementing this).

wiomoc added a commit to wiomoc/engelsystem that referenced this issue Apr 6, 2022
@wiomoc
MVP: Implement OAuth2 IDP
fed4b2b 
Closes engelsystem#882
@wiomoc wiomoc linked a pull request Apr 6, 2022 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Feature An idea for a new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

MVP: Implement OAuth2 IDP wiomoc/engelsystem
3 participants
@MyIgel @margau @ThoreKr