by andygrunwald on 1/5/18, 3:16 PM with 18 comments
Often the usage of a private account (eg in Github) make sense to keep history, resume and so on. Even google is doing this. See https://opensource.google.com/docs/github/#accounts The issue here: You are not able to get a mapping to the employee because their username, email or avatar can be quite wired/different.
The big issue appears when the employee is leaving the company. That is the main reason for this Ask HN.
I "dream" from a kind of engineers self service center. A web ui that has several "plugins". Each plugin related to one service (Github, Dockerhub, GA for techblog and so on). Every person who wants to see the analytics of the techblog requests access via this web ui. In the background a mapping between their google account and the company email / employee identifier is maintained. And the user is connected to your GA account via an API call to google. This could be done with various services. In the background a cronjob is running and asking the LDAP / Active Directory if this user is still active (i assume that when an employee is leaving that the AD account is disabled/deleted). If the user is not active anymore, access on all services will be revoked automatically.
I think that this problem is faced by many companies. Maybe this is a free startup idea.
How you deal with this in your company? Or what solution you use / suggest / refer to? Or is there already a open source version of my dream service center? Or any reason why this is a dumb idea and you have a better alternative in mind?
by caseysoftware on 1/5/18, 5:26 PM
For example, when I left [then startup, now publicly traded] in Nov 2013, it took them 15+ months until they turned off my Github access.. in the meantime, I had access to all the private repositories. (Yes, I notified them multiple times.)
SAML is pretty widely supported but yes, it's a pain. SCIM[0] is less painful approach for the provisioning side and maps to the API mindset better. Unfortunately, it hasn't seen mass adoption so far but I think we'll get there as more people understand it and/or realize that companies will pay for it. But you'll still need SAML or OIDC for the SSO piece.
I do think there's a business need for this which is why I joined Okta in 2016, which does exactly this. I'll refrain from a sales pitch but you can explore it on your own[1].
0 - https://en.wikipedia.org/wiki/System_for_Cross-domain_Identi...
1 - https://developer.okta.com/signup/
edit: clarified SAML vs SCIM
by kevlened on 1/5/18, 5:39 PM
1. Single-Sign On (SSO) - Log in once for access to many services. SaaS with SAML and OpenID Connect support are ideal in this space, but services without support can be used with a browser plugin
2. User/Lifecycle Mgmt - CRUD operations for users. SCIM support is ideal in this space, but many companies offer services beyond simple CRUD using bespoke APIs. Without support for either, it's very difficult to integrate a service. The bespoke APIs mean that you'll see varying depths of integration across services. For example, one service may allow you to control whether a user is in a group in Dropbox, while another won't.
There are several companies in this space (known as IDaaS), so I'll leave the Googling to you. Of those, some do User Mgmt. I'm not aware of any companies that do User Mgmt without SSO
by Xaena on 1/5/18, 4:42 PM
Problem 1: Not every SaaS platform has a company with an API to manage user accounts. Even then, I would be skeptical of a company that offered it and didn't offer it via oauth tokens.
Problem 2: Automating the task within the browser also fails when it comes to uniformity. Any company that lacks an API endpoint for user management means you need to interact with a browser or some other hacky nonsense. With that solution comes the problem of understanding the site structure, login forms, and action menus.
Problem 3: Even if you did the above 2, you now have additional points of failure within your offboarding. If a failure occurs in the automation process, is it silent? What if the API changes (not that it should) or the UI?
The best solution is to look for companies that offer the API option or that support SAML.
by zytek on 1/5/18, 11:28 PM
Clarification: it wasn't that persons only responsibility, just one of many assignments to help automate Ops in the company.
by san_at_weblegit on 1/5/18, 5:17 PM
A second common issue is ability of changing the email addresses in AD, this breaks the mapping cause most of the times email is primary identifier.
by beejiu on 1/5/18, 4:39 PM
I do not see how introducing yet another standard solves the problem. SAML and similar standards already solve this problem; just many SaaS do not support SAML.
by j45 on 1/5/18, 6:21 PM
by wrs on 1/5/18, 4:52 PM