Created JIT addon for OneLogin GRC#64
Conversation
In OneLogin, a successful response for the API call of adding the user into a role does not mean that the assignment is active. Extra check needs to be added
Default retry interval is 5s, there is no timeout
pcitures added
adding pictures
adding pitcures
| "Author": "Viktor Varga (One Identity)", | ||
| "Description": "This Solution Accelerator connector implements activation of OneLogin Accounts and Role elevation. It is to be used in a PIAM/PIdP use-case where a OneLogin Generic REST Connector manages Assets, Accounts, and Entitlements in Safeguard." | ||
| }, | ||
| "CheckSystem": { |
There was a problem hiding this comment.
Ultimately, every HTTP based platform should support the use of a proxy. See the following for more information and examples:
https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/Request
https://github.com/OneIdentity/SafeguardCustomPlatform/pull/58/changes
https://github.com/OneIdentity/SafeguardCustomPlatform/pull/57/changes
| "SkipServerCertValidation": { | ||
| "Type": "boolean", | ||
| "Required": false, | ||
| "DefaultValue": true |
There was a problem hiding this comment.
I think the default value for this should be false. We want to be "secure by default", and using SSL, but ignoring any errors, isn't what we'd want in a production environment.
| "SkipServerCertValidation": { | ||
| "Type": "boolean", | ||
| "Required": false, | ||
| "DefaultValue": true |
There was a problem hiding this comment.
Similar here, I think the default should be false.
| "Else": { | ||
| "Do": [ | ||
| { | ||
| "BaseAddress": { | ||
| "Address": "http://%Address%" | ||
| } | ||
| } |
There was a problem hiding this comment.
Is there ever the possibility of not using SSL and just plain http? I can't imagine that is something that OneLogin offers, to be able to access their site and API over plain HTTP.
It is totally fine to have a platform that only ever uses SSL and is hard coded to always use SSL. Then you're only parameter is the option to ignore SSL errors. For which again, if this is only ever hitting onelogin.com, I would say you could get rid of that too, because there should never be a use case to ignore it, since it's a public site and should always have valid, trusted SSL.
Those parameters were really intended for testing and just some kind of self-hosted service, where you may be using your own PKI or something. So you could get rid of those parameters on all methods and this, and simplify some.
| "Status": { | ||
| "Type": "Connecting", | ||
| "Percent": 10, | ||
| "Message": { | ||
| "Name": "AssetConnecting", | ||
| "Parameters": [ "%{Address}%" ] |
There was a problem hiding this comment.
Your formatting is a bit off here, if you look at the file in a plain text editor, you'll see you have a mix of tabs and spaces. Everything should be spaces.
| "Request": { | ||
| "RequestObjectName": "SystemRequest", | ||
| "ResponseObjectName": "SystemResponse", | ||
| "Verb": "POST", | ||
| "Url": "auth/oauth2/revoke", | ||
| "IgnoreServerCertAuthentication": "%SkipServerCertValidation%", | ||
| "Content": { | ||
| "ContentType": "application/json", | ||
| "ContentObjectName": "Content" | ||
| } | ||
| } |
There was a problem hiding this comment.
Do you need the "IsSecret": true here too, since you're technically including the credentials and access token again, same as your ApiAuth function.
| "Function": { | ||
| "Name": "Disconnect", | ||
| "Parameters": [ | ||
| "%Address%", | ||
| "%FuncUsername%", | ||
| "%FuncPassword%", | ||
| "%{AccessToken}%", | ||
| "%{SkipServerCertValidation}%", | ||
| "%{UseSsl}%" | ||
| ], | ||
| "ResultVariable": "Disconnected" |
There was a problem hiding this comment.
Technically, you'd want to call your Disconnect regardless of the outcome of the AssignRoles.
We do have a concept of a finally block, that could be used to help simplify the logic:
https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/Try
| "Condition": { | ||
| "If": "!AccessTokenResult", | ||
| "Then": { | ||
| "Do": [ | ||
| { | ||
| "Throw": { | ||
| "Value": "[Error] Authentication failed" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| } |
There was a problem hiding this comment.
I think you could get rid of all of these and just throw the error from within the ApiAuth function itself, and not have to repeat this in each calling method.
2 participants
This new HTTP scripts implements Enable/Disable and Elevate/Demote OneLogin accounts. It should be used alongside other Asset/Accounts managins the actual password, either being an Other Asset managed by OneLogin GRC, or alternatively the Starling Connect based OneLogin Asset, or an AD Asset (where OneLogin synchronizes Account information from AD) .
There is also a .ps1 script which can be used for testing CustomPlatform connectors.