RE: SAML, automatic user generation

@pdonias said in SAML, automatic user generation:

Hi @mrbaz, thanks for the feedback.

I'm not sure why it's an issue for you that the user account is automatically created in XO.

literally anyone who properly authenticates will be able to log in to XO

Isn't it the point? You seem to be raising a security issue here, but I'm not sure what it is. Could you clarify it?

Thanks!

For SSO and ease of setting up clients, no. Other applications I have running SSO offer me the option to enable or disable automatic user generation. Just because a user can authenticate, doesn't mean they have authorization. By only allowing automatic user generation, you break the AA scope. This means in order to safely configure the application, I have to bring additional configuration complexity to the identity management provider than necessary.

If XO had a way of pulling the user's group information and only allowing those in a certain group to have authorization to XO to have their accounts automatically generated, that would work too. Otherwise, I just do all the work on the IDP backend.

TL;DR - I can set this up securely by just adding more configuration to the IDP, but I have other hosted applications that give me the simplicity of allowing automatic user generation or not, and allowing me to manually setup user accounts on the application before their first login. What I'm asking is for more flexible options.

Security issues aside, the issue still stands that I can't put a user into a group or assign ACLs until after they have signed in for the first time. That means if I have 10 users that all sign in at 10 different times, I have to waste my time going back each time after the user has let me know they logged in and can't see anything sine they don't have any permissions.

I setup xen orchestra with SAML login through keycloak.
It works, but the user must not already exist in XO. Remove the user, and now the user account is automatically generated in XO and can authenticate and log in. This means, literally anyone who properly authenticates will be able to log in to XO (though with no permissions). Not exactly the best practices type of thing.

Other applications either give me the option of automatic user generation, or require the user already exist (even if just a blank user shell with the username stated) in order for the user to log in to the application.

Is there a way to change this behavior?

EDIT: To add more clarification to this post, the other issue that makes this troublesome is that I can't add users to a group or setup ACLs until after that person has first logged in through SAML so their user account is auto generated. Just more administrative overhead.

Running the latest xen orchestra. Just finished our latest weekly backup. It still backed up the 1TB disk I had labeled as [NOBAK].

Has this been implemented yet?
I've tried the [NOBAK] method, and the disk still gets cycled into the weekly VM backup.