7.5 KiB
2021-W08
2021-02-22 Monday
MEETING Core Team: SecureX Account Activation Optimization work meeting
CLOCK: [2021-02-22 Mon 16:02]–[2021-02-23 Tue 08:47] => 16:45
[2021-02-22 Mon 16:02]
Meeting Agenda:
Discussion to drive forward SecureX Account Activation Optimization Q3 efforts
- Account Creation Workflow
- CSA Migration (has it own dedicated work stream – but is there anything impacting the overall initiative?)
- Firepower Onboarding (has it own dedicated work stream – but is there anything impacting the overall initiative?)
- Workflow
- Role Based Access
- Module Addition/Health Workflow
- Status of action items from last core team call
- What help is needed (decisions, clarity, etc.)
- Any blockers or issues?
Doing in Q3.
Most conversation is good.
Agenda:
@Jyoti, this is a huge item. Audience in this meeting is too big.
Where to track. Some github issue are dead.
Namrata: focus on first 3 items. Martin: item named workflow, don't know what that is.
Module Addition.
2021-02-23 Tuesday
CHAT webex morning routine work chat
CLOCK: [2021-02-23 Tue 08:47]–[2021-02-23 Tue 09:47] => 1:00
[2021-02-23 Tue 08:47]
CSA Migration
DONE Houman
SCHEDULED: <2021-02-23 Tue 16:00>
@Houman
Hi Yann - something for tomorrow, none of the QA orgs in TEST or INT are showing the registered devices in SSE. When I cross launch to SSE, I am able to see the devices, but in SecureX there is no device. Both are AMP orgs and already migrated. Here are the org IDs:
c395f3c8-723b-4d15-b8b7-e17bec459c6b
cc6a35bc-1739-4fcd-a285-aa95adbd5e41
Could you please take a look and unblock QA orgs?
INT org
{
"id": "c395f3c8-723b-4d15-b8b7-e17bec459c6b",
"name": "adminctrqa",
"enabled?": true,
"created-at": "2019-04-04T20:33:53.033Z",
"idp-mapping": {
"idp": "idb-amp-staging",
"enabled?": true,
"organization-id": "c395f3c8-723b-4d15-b8b7-e17bec459c6b"
},
"scim-status": "activated",
"additional-scopes": [
"iroh-admin",
"iroh-master",
"iroh-auth",
"sse",
"cisco"
]
}
Contains idp-mapping
.
Logs during OIDC does not contain it:
The client claim-aliases looks ok:
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "idp-mapping-idp"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "old-idp-mapping-idp"
},
2021-02-24 Wednesday
MEETING Fix SSE client work meeting
CLOCK: [2021-02-24 Wed 18:33]–[2021-02-25 Thu 18:07] => 23:34
[2021-02-24 Wed 18:33]
client PATCH
TEST:
{"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"threatgrid":"TG",
"idb-amp": "AMP",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"default-value": "AMP",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"threatgrid":"TG",
"idb-amp": "AMP",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "idp-mapping-idp"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"threatgrid":"TG",
"idb-amp": "AMP",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "old-idp-mapping-idp"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "idp-mapping-organization-id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "old-idp-mapping-organization-id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin",
"iroh-admin": "admin"
},
"default-value": "user",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
]}
IN-PROGRESS continue the day work
MEETING dev weekly work meeting
CLOCK: [2021-02-24 Wed 15:55]–[2021-02-24 Wed 17:04] => 1:09
[2021-02-24 Wed 15:55]
Weekly status
IROH:
- Provisioning: organization-id added to idp-mapping (#4855)
- Use entities in DB during SSE id-token generation (#4844) …
- Added tests to verify #4808 (#4817) …
- Hide provisioning API routes (#4835)
- OAuth2 client availabilty restriction for non admin (#4820) …
- Prevent user merge by email for some IdP (#4819) …
Tenzin-config:
Provisioning API in PROD (#375) Mark some IdP as safe for email (#374)
- Extract `user->identity` helper
- RFC Problem Statement: Managing transitive dependencies for "test" jars
- Add schema validation for `gen-jwt`
- Use EmailService in iroh-feedback
- RFC: Prevent dependency confusion attack on our code base
- Add a `svc-helper` for `iroh-int.test-helpers.auth`
- Write tests for #4844
- Update SSE Clients
- SSE wrong org object passed to id_token generation
- Prevent merge user by email for TG accounts
- Claim aliases bug fix
- Prevent non-admin users to create client with availability "Org"
Notes
-
Yann:
- CSA Migration, Talk about SSE, and release.
-
Guillaume:
- CSA Migration
- Status API route
- FMC
-
Rob:
- discussion about Ben Greenbaum and Umbrella module (409 hit)
-
Ag:
- Bundle assets
-
Ambrose:
- Fixed the cron-job
- finished email service
- research work about problem statement
Real Work™ discussion.