Given an account with SSO integrated, it's essential to be able to map groups of user's external to provider to the platform groups. This feature covers how this can be achieved and capabilities which will be provided to customer to be able to configure them.
Concepts
Association: Associating a user with a given group retrieved by its external authentication provider
External Group: Groups inherited from external authentication provider
Group: Stackspot/IAM group
Named Capture Group: A REGEX capture group with a name binded to it
Usecase Flow
Association
Setup SSO
A user authenticates using SSO
Their external groups are associated to their Stackspot user
User is able to access the resources granted by Stackspot groups their got associated with
Disassociation
Setup SSO
A user authenticates using SSO
Their external groups are associated to their Stackspot user
User is able to access the resources granted by Stackspot groups their got associated with
User loses some external groups in SSO provider
When user reauthenticates in platform the respective groups removed in the SSO provider gets removed as well in platform
Proposed Solution
Creation of a group mapper REGEX where a rule is set and the captured external group is the group name to associate the user with. If user is not in the group then they are inserted into it.
To perform disassociation, the same REGEX is applied to user's current groups and if any filtered group is not in the external groups it gets removed.
Mapper configuration
Raw
Raw REGEX query is performed in a given group table column.
Capture group example: (?<name>\d{4})
Possible names for capture group:
name query will be performed using table column called name
slug query will be performed using table column called slug
Example usage:
(?<name>^.*$) will map the exact external group name to group, so if there is a external group in users authentication named FW4-FW4-P_AI_STACKSPOT_ADMIN_V2 the user will be added to group FW4-FW4-P_AI_STACKSPOT_ADMIN_V2 in the platform as well. The follwing query will be executed: SELECT * from groups where name = 'FW4-FW4-P_AI_STACKSPOT_ADMIN_V2'
Default
Pre computed configuration where the REGEX get parsed and pre-determined operations are already setup
All rules are exclusive (only one applies at time)
Capture group example: (?<name>\d{4})
Capture Group Prefixes (column that query will be performed)
name: Find by group name
slug: Find by group slug
Capture Group Suffixes:
_endswith: retrieves all groups that ends with captured value
_startswith: retrieves all groups that starts with captured value
_contains: retrieves all groups that contains captured value
_match: retrieve all groups that matches captured value
Simple Example usage:
(?<name_startswith>\ABC_) -> SELECT from groups where name like 'ABC_%' (all groups that name starts with ABC_)
(?<name_endswith>\_CDE)SELECT from groups where name like '%_CDE' (all groups that name ends with _CDE)
(?<name_contains>\ABC) -> SELECT from groups where name like '%ABC%' (all groups that name contains with ABC)
(?<name_match>\ABC) -> SELECT from groups where name = 'ABC' (all groups that name equals ABC)
Dynamic matching usage:
^FW4-FW4-P_(?<name_match>.*)$ -> Will capture any remaining text that comes after FW4-FW4-P_ and perform a match search in group table using column name. Example:
If this external group is present in users authentication FW4-FW4-P_AI_STACKSPOT_ADMIN_V2 their will be added to group AI_STACKSPOT_ADMIN_V2 by the execution of the following query: SELECT * from groups where name = 'AI_STACKSPOT_ADMIN_V2'
All suffixes modes are available to be used as well
Description
Given an account with SSO integrated, it's essential to be able to map groups of user's external to provider to the platform groups. This feature covers how this can be achieved and capabilities which will be provided to customer to be able to configure them.
Concepts
Usecase Flow
Association
Disassociation
Proposed Solution
Creation of a group mapper REGEX where a rule is set and the captured external group is the group name to associate the user with. If user is not in the group then they are inserted into it.
To perform disassociation, the same REGEX is applied to user's current groups and if any filtered group is not in the external groups it gets removed.
Mapper configuration
Raw
Raw REGEX query is performed in a given group table column.
Capture group example:
(?<name>\d{4})Possible names for capture group:
namequery will be performed using table column callednameslugquery will be performed using table column calledslugExample usage:
(?<name>^.*$)will map the exact external group name to group, so if there is a external group in users authentication namedFW4-FW4-P_AI_STACKSPOT_ADMIN_V2the user will be added to groupFW4-FW4-P_AI_STACKSPOT_ADMIN_V2in the platform as well. The follwing query will be executed:SELECT * from groups where name = 'FW4-FW4-P_AI_STACKSPOT_ADMIN_V2'Default
Pre computed configuration where the REGEX get parsed and pre-determined operations are already setup
All rules are exclusive (only one applies at time)
Capture group example:
(?<name>\d{4})Capture Group Prefixes (column that query will be performed)
name: Find by group nameslug: Find by group slugCapture Group Suffixes:
_endswith: retrieves all groups that ends with captured value_startswith: retrieves all groups that starts with captured value_contains: retrieves all groups that contains captured value_match: retrieve all groups that matches captured valueSimple Example usage:
(?<name_startswith>\ABC_)->SELECT from groups where name like 'ABC_%'(all groups that name starts withABC_)(?<name_endswith>\_CDE)SELECT from groups where name like '%_CDE'(all groups that name ends with_CDE)(?<name_contains>\ABC)->SELECT from groups where name like '%ABC%'(all groups that name contains withABC)(?<name_match>\ABC)->SELECT from groups where name = 'ABC'(all groups that name equalsABC)Dynamic matching usage:
^FW4-FW4-P_(?<name_match>.*)$-> Will capture any remaining text that comes afterFW4-FW4-P_and perform a match search in group table using column name. Example:If this external group is present in users authentication
FW4-FW4-P_AI_STACKSPOT_ADMIN_V2their will be added to groupAI_STACKSPOT_ADMIN_V2by the execution of the following query:SELECT * from groups where name = 'AI_STACKSPOT_ADMIN_V2'All suffixes modes are available to be used as well