Extract OneLogin app ID automatically

[johananl]

Maybe the OneLogin embedding API can help: https://developers.onelogin.com/api-docs/1/embed-apps/get-apps-to-embed-for-a-user

[ghost]

As this is one of the most requested features internally, I'll try to advance this.

I wonder if a shared embeddable token is considered a security risk again? @lahavsavir

Compared to the previous internal solution, this removes the possibility to list users but still keeps the possibility to enumerate apps if I know the email addresses of users (which are incredible hard to guess).

Alternatives I see is developing some Lambda that is storing the needed credentials securely and can only be used after authentication (I'd prefer IAM based auth).

@lahavsavir, @johananl WDYT?

[johananl]

Looks like the embed token is much safer than the API credentials, because all it allows you to do is obtain the list of apps. On the other hand, it still allows obtaining a list of apps without providing user credentials, MFA etc. It also allows a user to get a list of apps that are accessible to another user by sending a request to the API with their email address (and the same token), however it won't allow them to get credentials for these apps if they themselves don't have permissions for them.

The question is if the above is acceptable. It might be acceptable for some use cases.

Looks like the embed token is shared by design, i.e. you can't even generate two on a given OneLogin account, only replace the one existing token.

A Lambda-based solution seems outside the scope of Clisso to me. All Clisso provides is an interface to OneLogin/Okta. This could still be a valid solution for specific use cases, however I don't see how Lambda helps us provide a generic solution to the app ID retrieval issue.

REMINDER: This is a public repository now. We should avoid discussing specifics or "internal" stuff. For these we should use other channels. Just a reminder because this discussion could lead to sensitive issues.

[johananl]

How about talking to OneLogin about this use case? We need some solution which would eliminate the need for contacting an admin for every app a user wants to add, without creating huge security risks. They might have an idea. If they don't, we could try pushing towards a new feature.

[lahavsavir]

Guys, Let’s please move to an internal communications channel to advance this discussion.

Thank you, Lahav

On Tue, 11 Dec 2018 at 22:26 Johannes Liebermann notifications@github.com wrote:

How about talking to OneLogin about this use case? We need some solution which would eliminate the need for contacting an admin for every app a user wants to add, without creating huge security risks. They might have an idea. If they don't, we could try pushing towards a new feature.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/allcloud-io/clisso/issues/53#issuecomment-446349509, or mute the thread https://github.com/notifications/unsubscribe-auth/AEFW6CjkR-Ux-trIIxVyH40IY-m8qpTwks5u4BTegaJpZM4V8UYA .

--

-- Kind Regards,

[image: allcloud-signature-icon-3.png]

Lahav Savir

Founder, EVP and Chief Architect

AllCloud, Cloud Platforms

m: +972 (54) 4321688

w: www.allcloud.io e: lahav.savir@allcloud.io

-- This message and the information contained herein is proprietary and confidential and subject to the AllCloud policy statement, you may review it here https://bit.ly/2Mu90e4.