Integrate OneLogin "Amazon Web Services (AWS) Multi Account" Service in Leapp

[andreacavagna01]

Is your feature request related to a problem? Please describe. Integrate the OneLogin service like in the integration of AWS SSO #38.

Describe the solution you'd like Autocomplete all the session available from the OneLogin service

[scrthq]

This would be a big win for us! Keeping an eye on this issue

[andreacavagna01]

It's an integration like the one we have made with AWS SSO, but I've still to do some R&D on this method because it's not our current method in Use.

If there is an expert with OneLogin, we can speed up this process

[scrthq]

I can help out on the OneLogin side, I'm pretty familiar there. JS/TS just isn't my typical language though so it's hard to say exactly how much help I can be here lol. Checking out the AWS SSO integration to see if I can wrap my head around how to apply that to OneLogin.

Questions:

1. Is Leapp in its current state able to work with OneLogin via federation to AWS at all?
   • I tried setting it up and was able to go through the bits to register the account in Leapp, but it never transitions to an active state when selecting the account in Leapp and there's nothing logged when it happens that I can tell.
2. If it should work with OneLogin, is there a specific connector type (e.g. Multi-Account/Multi-Role) in OneLogin that this should work with or is it purely capturing the SAML response regardless of how the user gets there in the pop-up window?

[andreacavagna01]

That's awesome, we are shifting also the core business logic in a GoLang Daemon soon, the project is still active and under development, maybe you are more confident with that language.

Also, I can help you on the Typescript side, once I know the path to follow; I need a guide like this one I made up for AWS SSO before developing the integration, I think the step will be nearly the same, but, since I haven't this OneLogin flow enabled I can't be sure.

1. Yes Leapp manages the OneLogin Federation flow with SAML currently. I think your problem can be with the Auth URL or something similar, please add an issue if this is not working properly.
2. I think the connector Multi-Account/Multi-Role is the one to integrate, whenever you have access to the APIs I hope to retrieve all the sessions available for the current user. The provisioning part of the session is the hardest one.

The flow for integration is still not abstracted but is divided into 3 different part:

1. Logging into The Identity provider: as we have done here
2. Provision session with the APIs of the Identity Provider: we have done it in this lines
3. A third part of generating credentials from the single session: Generating the proper strategy

I can help you with the development of this part but I need first some info on how to do those steps with OneLogin. Thanks for the help, if you want to start a deep conversation on this point feel free to join our community on Slack

[scrthq]

Awesome, @andreacavagna01 ! I'll hop on the Slack workspace and we can chat more. The only concern I have with going the API route is you'll need API credentials with User Authentication permissions to do that, which not everyone has access to generate or may not be willing to provide to general users outside of the IdP admins. That's actually one of the current blockers we've had with other tools fulfilling the same role, including OneLogin's own CLI tool for that purpose.

I've seen other tools (can't find a link right now) that handle it via pop-up window and capture the SAML response to send that to the AssumeRoleWithSAML call instead of going through the API route, but that provides its own challenges there.

Reading your response a bit deeper and checking out the links provided as well. I appreciate the thorough response!!

---

Edit: Looks like the Slack invite link isn't working as expected, I get dropped back to the login screen and it fails that because of the domain mismatch.

[andreacavagna01]

I'm sorry I missed the edit. this link should work! https://join.slack.com/t/noovolari/shared_invite/zt-opn8q98k-HDZfpJ2_2U3RdTnN~u_B~Q I will be happy to define that kind of integration in Leapp