search

remind101 / empire

A PaaS built on top of Amazon EC2 Container Service (ECS)
BSD 2-Clause "Simplified" License
2.69k stars 159 forks source link

Can you require SSO on Github without setting up SSO on empire? #1149

Closed coilysiren closed 5 years ago

coilysiren commented 5 years ago

Preface

The situation I am presented with is such: we have mid sized engineering organization (~50 engineers) and several empire stacks (~6). I'm helping the organization migrate to required SSO on Github, and trying the minimize the amount of work I have to do.

The Question

Can you require SSO on Github, without requiring SSO on Empire?

Supporting Context

I think the answer to this question is yes, and here is why:

First, when you emp login you are logging into Github not logging into your organization. Required SSO on your Github organization will change the login behavior, because

You must periodically log in to your SAML provider to authenticate and gain access to the organization's resources on GitHub.

(emphasis mine)

Second, when empire asks if a user is a bit of a group, that group is requested with the empire application's credentials - and the user will appear to be a part of a group regardless of it they have logged in with SSO or not.

What I Need Here

I would like if someone could validate the truthfulness of the statements I made in the Supporting Context section. I'll be looking through code / running tests to validate them myself, but would appreciate anyone else's evidence / input.

coilysiren commented 5 years ago

So the answer to this question was yes, but as of this change it's now a no.