Org-Level Auth Enforcement for SAML Orgs and Enhancements for SAML SSO #1372
Conversation
…g enableAuth field
…ug section in org settings, revise navigate to org flow to account for org-level auth enforced orgs
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 8529478 | Triggered | Generic High Entropy Secret | f1c41be | .env.example | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
… to toggle auth methods regardless of what org they are in
dangtony98
changed the title
There was a problem hiding this comment.
Left small comments. I have tested the CLI with these changes and it works as expected. I also tried sign up and that too works. I couldn't try invite user to org because i got 500 so you might have to see what is up with that.
Did not try the SAML flow in gamma, i think it might be better if you test that.
FYI: these this branch has been deployed to gamma
.../src/views/Settings/OrgSettingsPage/components/OrgSlugChangeSection/OrgSlugChangeSection.tsx
Show resolved
Hide resolved
| @@ -342,7 +348,7 @@ export const samlConfigServiceFactory = ({ | |||
| email, | |||
| firstName, | |||
| lastName, | |||
| authMethods: [authProvider] | |||
| authMethods: [AuthMethod.EMAIL] | |||
There was a problem hiding this comment.
Why did we change this was authProvider not email already?
There was a problem hiding this comment.
No. Previously, we updated a field on users to specify that their authentication method is now SAML but this is incorrect because SAML authentication should be bound at the organization-level instead of the user-level since a user can be part of multiple organizations, some of which may have SAML enforcement and others which may not. So, users can now retain their personal login methods like Email / Google / GitHub / GitLab whilst being SAML-enforced for specific organizations that have that enforcement.
You'll notice that in this PR we change how we deal with SAML auth validation in the underlying data structure. This adds flexibility such that users can use regular email/password to log into non-org level auth enforced organizations and be required to login with SAML for those that have that enforcement.
The specific line here means that, if the user does not yet exist, a new one is created with the default email/password auth method instead of having SAML as their auth method because, as I mentioned above, SAML is bound at the org-level not at the user-level.
There was a problem hiding this comment.
Curious, what happens if I am apart of a org that has SAML sso configured? Will i just not see those orgs or will it prompt me to login when i switch to that org?
…nvite saml block to org authEnforce field
Description 📣
Foremost, this PR enforces users that want to access the resources of an organization with an org-level auth method enabled to have to log in via that organization's specified auth method such as SAML SSO to do so. This means that if a user is part of two organizations, one that does not have SAML-enabled and one that does, then they cannot log into the non-SAML-enabled organization and switch organizations to access the SAML-based one's resources.
This PR also sprinkles in a few other related improvements for working with org-level authentication. More specifically, the changes covered include:
Accessing an organization with an org-level auth method enabled for users now requires an access token to be issued with the correct
organizationIdin its payload. This field is only attached onto access tokens if users log in via an organization auth method such as SAML SSO.We now separate the concepts of activating SAML SSO (referred to as
isActiveon thesamlConfigtable) in an organization with enforcing it (referred to asauthEnforcedon theorganizationtable) to prevent users setting up SAML SSO from getting locked out of their organization. Previously, you could configure SAML, activate it, then log out — only to realize that you've locked yourself out because the SAML configuration required to log you back in wasn't valid. With this update, you must now successfully test the SAML configuration by logging in correctly, thus registering alastUsedtimestamp on the SAML object in the DB, before enforcing it for the organization. Once enforced, users must log in via SAML to access the organization's resources.Logging in with SAML (Infisical-initiated) now requires users to input their organization slug which is much easier to keep track of than the SAML SSO config ID. Related: I've added an update organization slug section in the Organization Settings.
Type ✨