Open programmerq opened 11 months ago
One thing I've seen while doing support is that it's very difficult for users to configure SSO (Azure, Okta, Onelogin...) correctly.
It is very difficult to understand the concepts of role mapping and especially how to add claims for GCP service accounts, SSH logins, DB users... Most of the time I found support tickets related to SSO, it was because there was a conceptual barrier too complex to be overcome without help. I think we should simplify our guides and add more detail
We should rework all our guides to include:
Applies To
https://goteleport.com/docs/access-controls/sso/one-login/
Details
The screenshot here shows creating a "groups" field that is a statically defined single value of "admin". A more useful example would be to show how to map OneLogin user roles to a SAML attribute.
I handled a request where this procedure wasn't obvious from the existing doc. I ended up creating a OneLogin developer account so I could step through the procedure myself.
How will we know this is resolved?
A user can follow the guide and successfully map OneLogin multi-value fields to something Teleport can use.
Currently, if someone follows the guide and doesn't choose the "multi value" option at the time the parameter is created, mapping "User Roles" will lead to a single string that is all the OneLogin roles delimited by a semicolon.
response
Here's the snippet from my customer-facing response that could be adapted to our guide.
Click on the "+" to add a new field.
Name it
groups
, and select both the "Include in SAML assertion" and "Multi-value parameter" checkboxes. Click Save.This will make the "Edit Field groups" dialog pop up. Leave the value blank. Under "Default if no value selected", choose "User Roles" in the gropdown. In the second dropdown, choose "Semicolon Delimited input (Multi-value output)". The "Include in SAML assertion" flag should still be checked. Click save.
In my test environment, I created a test user called 'superman'. I added them to the 'Default', 'dc', and 'heroes' roles in OneLogin. When logging in to my teleport lab, I was able to confirm that the following assertion came from OneLogin when my browser did the POST to the OneLogin service: