search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.06k stars 1.71k forks source link

Adjust OneLogin docs #29950

Open programmerq opened 11 months ago

programmerq commented 11 months ago

Applies To

https://goteleport.com/docs/access-controls/sso/one-login/

Details

The screenshot here shows creating a "groups" field that is a statically defined single value of "admin". A more useful example would be to show how to map OneLogin user roles to a SAML attribute.

I handled a request where this procedure wasn't obvious from the existing doc. I ended up creating a OneLogin developer account so I could step through the procedure myself.

How will we know this is resolved?

A user can follow the guide and successfully map OneLogin multi-value fields to something Teleport can use.

Currently, if someone follows the guide and doesn't choose the "multi value" option at the time the parameter is created, mapping "User Roles" will lead to a single string that is all the OneLogin roles delimited by a semicolon.

response

Here's the snippet from my customer-facing response that could be adapted to our guide.

Click on the "+" to add a new field.

Name it groups, and select both the "Include in SAML assertion" and "Multi-value parameter" checkboxes. Click Save.

02_newfield

This will make the "Edit Field groups" dialog pop up. Leave the value blank. Under "Default if no value selected", choose "User Roles" in the gropdown. In the second dropdown, choose "Semicolon Delimited input (Multi-value output)". The "Include in SAML assertion" flag should still be checked. Click save.

04_editfield

In my test environment, I created a test user called 'superman'. I added them to the 'Default', 'dc', and 'heroes' roles in OneLogin. When logging in to my teleport lab, I was able to confirm that the following assertion came from OneLogin when my browser did the POST to the OneLogin service:

            <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="groups">
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Default</saml:AttributeValue>
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">dc</saml:AttributeValue>
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">heroes</saml:AttributeValue>
            </saml:Attribute>
tigrato commented 11 months ago

One thing I've seen while doing support is that it's very difficult for users to configure SSO (Azure, Okta, Onelogin...) correctly.

It is very difficult to understand the concepts of role mapping and especially how to add claims for GCP service accounts, SSH logins, DB users... Most of the time I found support tickets related to SSO, it was because there was a conceptual barrier too complex to be overcome without help. I think we should simplify our guides and add more detail

We should rework all our guides to include: