we service provider. suppose in our application, have our own user/role management. different users different roles allowed use different features. when user login need know roles user has, , prepare appropriate ui. have administrator role, users role can assign roles other users.
we thinking of enabling saml sso our application, problem how setup roles each user.
solution 1, relies on idp provide role information each login user, role information may come along assertion, may not work idps.
solution 2, retrieve user idp, , manage roles in our own application. example, when assertion, retrieve username(or email address), , match record in our db, if doesn't exist automatically create 1 new user. rely on users administrator role assign correct role new user.
now questions first administrator coming from? our customer gets our application, , turns on saml sso, there no users in db yet, how can resolve such bootstrapping issue? there kinds of standard way? have come different options not sure better , concerns each options.
option 1, have default built-in administrator user. there regular native login page built-in users can login without going through idp(there option turn on/off if saml sso enabled)
option 2, during saml sso setup, ask administrator user name, automatically create user in our db administrator role. when user login through idp match him in our db.
what other options?
for first question should handle roles. understand every customer has 1 of service provider software. , connects central idp own. if case, feels complex letting administrators handle roles on idp. go number two.
about question number two. have been in same situation can not remember have seen obvious standard solution this.
what did option 2. works fine adds complexity install procedure. choose because not have native login page. thing maybe better go option 1.
Comments
Post a Comment