Created JIT addon for OneLogin GRC#64
Conversation
In OneLogin, a successful response for the API call of adding the user into a role does not mean that the assignment is active. Extra check needs to be added
Default retry interval is 5s, there is no timeout
pcitures added
adding pictures
adding pitcures
| "Author": "Viktor Varga (One Identity)", | ||
| "Description": "This Solution Accelerator connector implements activation of OneLogin Accounts and Role elevation. It is to be used in a PIAM/PIdP use-case where a OneLogin Generic REST Connector manages Assets, Accounts, and Entitlements in Safeguard." | ||
| }, | ||
| "CheckSystem": { |
There was a problem hiding this comment.
Ultimately, every HTTP based platform should support the use of a proxy. See the following for more information and examples:
https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/Request
https://github.com/OneIdentity/SafeguardCustomPlatform/pull/58/changes
https://github.com/OneIdentity/SafeguardCustomPlatform/pull/57/changes
| "Status": { | ||
| "Type": "Connecting", | ||
| "Percent": 10, | ||
| "Message": { | ||
| "Name": "AssetConnecting", | ||
| "Parameters": [ "%{Address}%" ] |
There was a problem hiding this comment.
Your formatting is a bit off here, if you look at the file in a plain text editor, you'll see you have a mix of tabs and spaces. Everything should be spaces.
| "Request": { | ||
| "RequestObjectName": "SystemRequest", | ||
| "ResponseObjectName": "SystemResponse", | ||
| "Verb": "POST", | ||
| "Url": "auth/oauth2/revoke", | ||
| "IgnoreServerCertAuthentication": "%SkipServerCertValidation%", | ||
| "Content": { | ||
| "ContentType": "application/json", | ||
| "ContentObjectName": "Content" | ||
| } | ||
| } |
There was a problem hiding this comment.
Do you need the "IsSecret": true here too, since you're technically including the credentials and access token again, same as your ApiAuth function.
| "Function": { | ||
| "Name": "Disconnect", | ||
| "Parameters": [ | ||
| "%Address%", | ||
| "%FuncUsername%", | ||
| "%FuncPassword%", | ||
| "%{AccessToken}%", | ||
| "%{SkipServerCertValidation}%", | ||
| "%{UseSsl}%" | ||
| ], | ||
| "ResultVariable": "Disconnected" |
There was a problem hiding this comment.
Technically, you'd want to call your Disconnect regardless of the outcome of the AssignRoles.
We do have a concept of a finally block, that could be used to help simplify the logic:
https://github.com/OneIdentity/SafeguardCustomPlatform/wiki/Try
| "Condition": { | ||
| "If": "!AccessTokenResult", | ||
| "Then": { | ||
| "Do": [ | ||
| { | ||
| "Throw": { | ||
| "Value": "[Error] Authentication failed" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| } |
There was a problem hiding this comment.
I think you could get rid of all of these and just throw the error from within the ApiAuth function itself, and not have to repeat this in each calling method.
| }, { | ||
| "ForEach": { | ||
| "CollectionName": "PrivilegeGroupMembership", | ||
| "ElementName": "role", |
There was a problem hiding this comment.
Do you know if, similar to what is done in the AssignRoles function, does the user have to be "active" in order to assign or unassign them from a role? In other words, will the OneLogin API throw an error is the user is inactive? Or is that check in the AssignRoles function just a self imposed restriction?
There was a problem hiding this comment.
Assigning roles to inactive users in OneLogin is possible. However, in case a OneLogin role subsequently triggered the provisioning of the inactive OneLogin user into the final target system that was causing problems inside OneLogin.
Kevin-Andrew
left a comment
Kevin-Andrew
left a comment
There was a problem hiding this comment.
Approved for demo and testing purposes now.
2 participants
This new HTTP scripts implements Enable/Disable and Elevate/Demote OneLogin accounts. It should be used alongside other Asset/Accounts managins the actual password, either being an Other Asset managed by OneLogin GRC, or alternatively the Starling Connect based OneLogin Asset, or an AD Asset (where OneLogin synchronizes Account information from AD) .
There is also a .ps1 script which can be used for testing CustomPlatform connectors.