2.2 KiB
Remove SecureX TG IdP login button
- tags
- Cisco
- source
In order to remove TG IdP as a SecureX login we need to find a way to link the SecureX user account to another IdP login account.
Proposal 1
Solution 1: Enforce verified email in TG
Using this solution we could link the accounts using the email address.
If Threatgrid ensure that every login has a verified email, SecureX could remove a flag, and the Threatgrid user could login into SecureX in the TG created org by using the same email. The only change to be done in SecureX will be to change a configuration flag.
Why?
If TG does not verify the emails and we enable the flag, it would be possible for a TG user to trick another user with another email into their own SecureX account.
Example:
- User1 in Threatgrid, change its email address in TG to
chuck@cisco.com - User1 create a new SecureX account (SecureX save
chuck@cisco.comfor his email) - The real Chuck login via SXSO, and is automatically logged in into the User1 account.
Solution 2: Provisioning API
Using this solution we link using internal user-id provided by the IdPs.
We have an API currently used by the CSA team /iroh/provisioning
This API must be called everytime a user in TG "migrates" its account to SXSO. Or if not migrates, at least, links its TG account to an SXSO account. The next time the user will use SXSO to login into SecureX he will be able to join the Threatgrid created org.
This API was created for a specific workflow where the entire Org decide to migrate. Thus there are specific routes such that Threatgrid could declare that for some Org, login via TG IdP is forbidden and user must login via SXSO only.
Notes
Both solutions can be used concurrently as this is the case for CSA currently.
After TG Proposal
The proposal I made was using the work already done by CSA. Of course we could have many other mechanisms.
The "Link your account to another IdP" had my preference a long time ago. But I think that within our current environment this hides a lot of dragons.