search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
16.98k stars 1.71k forks source link

Document SAML for Google Workspace #8831

Open benarent opened 2 years ago

benarent commented 2 years ago

What

We currently recommend using OIDC for Google Workspace. As I was testing it for the test plan, I was reminded of the pain and yak shave for setting it up. Workspace is pushing SAML For example see Senty Docs and provides better step by step instructions for provider. e.g. Sentry

Releated Task https://github.com/gravitational/teleport/issues/4940

stevenGravy commented 2 years ago

The issue I ran into with SAML in google workspace is it wasn't sending the groups the user was in which OIDC does.

espadolini commented 2 years ago

Apparently there's a beta program that lets you push selected google groups through SAML if the user is directly or transitively in them - that's better than what we're currently doing with OIDC, and we'd have to do nothing on our side for it. See https://support.google.com/a/answer/6087519?hl=en

zmb3 commented 2 years ago

@espadolini is this resolved with your Google Workspace changes from earlier this year?

espadolini commented 2 years ago

It seems like Google has finally released google group mapping for SAML apps in GA, so if anything we should follow through with the idea of deprecating OIDC for Google Workspace and adding docs on how to use SAML instead.

espadolini commented 1 year ago

SAML is not an option for all users - it's perfectly legitimate to have a role that says

allow:
  kubernetes_groups:
  - "foo-{{internal.groups}}"

and such a role would inherently require access to the entire group list, which is not something that's available with the SAML group forwarding. 😢

There's nothing that stops us from doing whatever we're already doing for OIDC and adding it to SAML, but realistically the only benefit would be IdP-initiated logins, and if you're going out of your way to define a GCP project for a service account you might as well just also use the OIDC connector in the project rather than add a SAML one.

I feel like logging in with Google SSO with SAML is still worth documenting, I would imagine that not all users are actually interested in all groups, and if you're only interested in a select few then it's way simple to configure a SAML connector on the Google Workspace side.

stevenGravy commented 1 year ago

Example here. https://github.com/gravitational/teleport/discussions/20630