-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does not appear to support SSO based users #8
Comments
@ttripp Can you try authenticating with a domain prefix that identifies the account? The subdomain can be set for each Morpheus tenant. The default subdomain value is the tenant ID, so if your identity source is for the master tenant, it will be 1 and the full username passed would be: 1\ttripp. Let me know if that resolves your problem. Thanks! |
I tried, but this doesn't seem to resolve the problem. This issue is that this tenant has an identity source that is an external identity provider. E.g.
When we log into this account via the UI, we provide the account in the URL. E.g. https:/<IP_ADDRESS>/login/account/2. This presents us a screen where we can choose the identity provider to login with "Login With". We see our SAML provider, click on it, it redirects us to the SAML based IDP where we login and then the IDP sends the SAML back to Morpheus which logs us in. I don't see any similar kind of a flow happening with the CLI. Is this supported? I tried setting subdomain of 2\username and I saw that in settings we had a name for the subdomain, so I tried that \username. I also tried setting up a remote with that, but it didn't work.
|
I see. The remote URL in the CLI will always be formatted without any path, like the saml-direct one you are using there. |
Note that our Morpheus install has several SAML identity sources if that makes a difference. Here are a series of logins. The very first one is demonstrating that a local user (non SAML) user is able to login. Then I show using 2\ 2\ \ \
I believe this should be doing a SAML redirect flow and opening a browser window where the user signs in and then redirects back to Morpheus to complete the login flow in order to work properly with an SSO provider. Instead, this is attempting to directly do the oauth with password grant flow where it expects to take in the user's password directly. Here's an OIDC example: https://medium.com/@balaajanthan/openid-flow-from-a-cli-ac45de876ead |
Ah ok. It sounds like requiring authentication with redirect is not going to work for API use. I thought that was only the case when the SAML 's |
@ttripp After looking closer at this, I think your use case (that authentication model) is one we don't yet support with the API. It should be available in a near future release though. |
@jamesdickson6 The command you mentioned doesn't work:
|
Oops! It should have read |
Ok, here it is:
Do you have a timeline when this will be supported? It seems that your API first needs to support it. Also, do you have an OpenAPI 3.0 (Swagger) version of your API docs available instead of just the hosted HTML version? |
That's right, it will be an API enhancement first. I don't have an exact timeline for either of these, but I expect it might be done in the next release cycle or two (1-2months). Cheers, |
Another question, is there a way to supply an access token to the CLI instead of doing interactive login? My thought is that in the meantime, I could write a wrapper service that logs the user in via SSO, then generate an access token with a username and password I control and just supply the access token to the CLI rather than giving them direct access to the local account. |
That's a pretty good idea. |
Thanks @jamesdickson6 Is there an API to revoke / invalidate the token? |
No problem, happy to help. |
@ttripp I did terrible proofreading on that last comment and had to edit a few things so, as always, just let me know if you have any questions or issues. |
Thanks, @jamesdickson6 I'll look at this to see if it is a reasonable workaround in the short term. Looking forward to OpenAPI and true SSO login for the API. |
Following up on this. Have there been any updates to morpheus API to support true SSO login for the API? As a reminder, if we have a SAML or OIDC trust relationship from Morpheus to our IDP we would like to be able to get API tokens issued for morpheus that
|
Based on the API documentation, the only way to retrieve an access token is by username and password. We've enabled morpheus with a SAML IDP. It does not look like SSO based access is supported via API and CLI:
Is there a way to get an access token for SSO users?
The text was updated successfully, but these errors were encountered: