Open tomjones1977 opened 3 weeks ago
So you could do it in the userAutoCreateTmpl at create time, but I think you are asking for it to update on every signon incase the role changes? is that right?
could you provide a sample of what your oidc object looks like? Would the role field name need to be changable, or is it the same for all oidc implementations?
Below is a redacted example token that is returned from the IdP. The roles are presented under realm_access.roles
as a list.
Ideally this list would be checked to map the roles for the user on login. This would mean that the IdP could have a central set of roles/groups that enable RBAC, and the roles are enforced on login through the token contents.
{
"exp": 1724062294,
"iat": 1724061994,
"jti": "b9546ee6-416e-4226-ba09-06a9ceea8171",
"iss": "https://keycloak.example.private/realms/example.private",
"sub": "5277c950-47d9-46e5-930e-b1c935e2fe51",
"typ": "Bearer",
"azp": "viewer",
"sid": "2ce5a0b4-ff79-44f6-919a-dea23493db45",
"acr": "1",
"allowed-origins": [
"https://viewer.example.private"
],
"realm_access": {
"roles": [
"zabbix-admin",
"gitlab-admin",
"admin",
"arkime-admin",
"ipausers"
]
},
"scope": "openid email profile",
"email_verified": true,
"name": "SSO Admin Admin",
"preferred_username": "sso-admin",
"given_name": "SSO Admin",
"family_name": "Admin",
"email": "sso-admin@example.private"
}
ok, update at login seems ok, however periodic queries/hunts would potentially use whatever the last value was since those happen when the user isn't logged in. ex:
How would that scenario play out in a manual role edit of a user, i.e. the way it's currently managed?
since Arkime would be the authoritative source it would work as expected.
Could the query role update and fail when the user next logs in?
I don't think there is any standard way. Basically if you want to demote a user you'll need to still use the arkime users page if they don't log in often.
Is your feature request related to a problem? Please describe. Currently when configuring OIDC sign in with
userAutoCreateTmpl=
the account is created with standard roles regardless of the user.Describe the solution you'd like When signing in via OIDC, mapping roles to Arkime roles happens within the user template.
For example an OIDC role
arkime-admins
maps tosuperAdmin
,analyst
maps toarkimeUser
etc.Describe alternatives you've considered While the mapping could be done manually this removes the SSO advantage of having roles mapped in a single location (the IdP).
Additional context N/A