yogsototh/deft
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deft/tracker.tmpS15XWC.org
Yann Esposito (Yogsototh) b2d6a8e827
tracker.tmpS15XWC.org
2020-09-29 14:43:17 +02:00

2.9 KiB
Raw Blame History

Work Time Tracker

add idp-mapping during org creation

ref
https://github.com/threatgrid/iroh/issues/4204

The Org schema contains an optional field named idp-mapping:

(s/defschema OrgIdPMapping
  (st/open-schema
   {:idp (describe s/Str "Internal idp-id")
    :organization-id (describe s/Str "the organization id provided by the IdP")
    :enabled? (describe s/Bool "Do we allow the connection through this IdP?")}))

(s/defschema NewOrg
  "Org before being saved to DB"
  (st/merge
   {:id s/Str}
   (st/optional-keys
    {,,,
     :idp-mapping OrgIdPMapping
     ,,
     })))

To support CSA Migration it should be replaced by:

(s/defschema OrgIdPMapping
  {:idp (describe s/Str "Internal idp-id")
   :organization-id (describe s/Str "the organization id provided by the IdP")
   :enabled? (describe s/Bool "Do we allow the connection through this IdP?")})

(s/defschema NewOrg
  "Org before being saved to DB"
  (st/merge
   {:id s/Str
    :idp-mapping OrgIdPMapping}
   (st/optional-keys
    {:old-idp-mapping OrgIdPMapping
     ,,,
     })))

This issue is about a first step toward this goal.

So at the end of this issue the schemas should be:

(s/defschema OrgIdPMapping
  {:idp (describe s/Str "Internal idp-id")
   (s/optional-key :organization-id) (describe s/Str "the organization id provided by the IdP")
   :enabled? (describe s/Bool "Do we allow the connection through this IdP?")})

(s/defschema NewOrg
  "Org before being saved to DB"
  (st/merge
   {:id s/Str}
   (st/optional-keys
    {:idp-mapping OrgIdPMapping
     ,,,
     })))

So, depending on the Identity Provider (IdP) some provide an organization-id some don't.

IROH-Auth currently work with 3 IdPs:

  • IDB AMP (stand for Identity Broker that proxy the SAML AMP/Castle Identity Provider)
  • IDB TG (Identity Broker proxy the Threatgrid OpenID Connect)
  • SxSO (Okta)

SxSO is the only IdP from which we do not care about the organization-id. So organization created through login via IDB AMP or IDB TG will be called managed orgs. Mainly the IdP is responsible for the name of the org-id.

For managed orgs, we create the org using the function iroh-auth.iroh-auth-service.core/sync-user-org. Which will use the value returned by iroh-auth.org-service.core/get-org-by-session-infos.

So this last function should be modified to always have a field idp-mapping.

During logins via SxSO (or any IdP that does not manage orgs) the organization-id must not be set.

During logins via AMP or TG (or any IdP that manage orgs ) the organization-id of the OrgIdPMapping must be set to the value returned by the IdP.

Note there might be some work to get the information if some IdP manage org or not. This information is put in config.edn. Every IdP has a :manage-orgs field.