You are viewing limited content. For full access, please sign in.

Discussion

Discussion

SAML, LFDS, and simplifying user identity management

Administration Directory Server Security
Updated November 2, 2021
posted on March 3, 2021

There really needs to be a way to migrate from LFDS to SAML authentication, and overall better integration of SAML users into Laserfiche access control. Adding SAML authentication to an existing environment is currently a major headache, but it shouldn't be. Other systems have gotten it right, and the trick is to decouple the user object from the method used to authenticate them.

Laserfiche Rio currently maintains separate user lists for LFDS, AD, LDAP, and SAML users, and there is no integration between them. This creates significant and unnecessary complication when changing authentication methods or assigning and auditing permissions. It also makes it very difficult to migrate from one authentication type to another, since every user has to be recreated in the new database, while avoiding the creation of conflicting usernames. After this, all permissions, rights and privileges must be manually replicated from the original user object to the new one. Finally at the end of this, you are have an entirely new user, which means your audit history, object ownership, document checkout status, and any other user-related history are invalidated.

Consider that, currently, Laserfiche also provides no way to report on effective access or group membership when permissions are assigned to SAML groups because SAML group membership is assigned dynamically during logon and removed after logoff.

 

These issues can be avoided.

The way to do it is to first consolidate to a single user database but allow each user object to be enabled for one or more authentication methods. For each authentication method, the user object should contain a mapping to corresponding authentication data. Effectively, "linking" a Directory user to a corresponding AD, SAML, or LFDS user.

For example, a user with the LFDS username "Simon" might be enabled for AD and LFDS authentication. Simon's account would contain an Active Directory mapping that includes his AD username MYDOMAIN\simon and whatever other AD-related data is necessary to allow him to log in with his AD credentials. His user object would also have an LFDS mapping with his LFDS username and password hash and other LFDS-specific data.

Meanwhile, username "Betty" might be enabled just for SAML, and so her user object would have only a mapping for her SAML username, bettywhite@domain.com. She would also have an LFDS username, of course, but isn't configured to authenticate with that username.

Additionally, SAML group claims that are sent as part of a SAML login should assign the user to universal directory groups, not isolated SAML-only groups that essentially disappear on logoff. SAML user objects should retain their group memberships until and unless the SAML identity provider sends a new mapping during a subsequent login.

Structuring identity management in this way would allow authentication methods for any user to be added, modified or deleted at any time without affecting the user's ability to authenticate with the remaining methods and without changing the user's file access permissions or system rights. Developers could even integrate new authentication methods in the future that admins could enable with minimal impact.

Since permissions, rights, and privileges would be tied directly to users and groups, regardless of authentication methods, permission and access reports would be simpler and more accurate.

1 0
replied on November 2, 2021

I second this idea to have less "expiration" status of SAML users because right now, we are a full SAML user environment, and we are running into issues with Forms and assigning user tasks to participant users. The user who is supposed to be assigned a task will not get assigned a task because their license status in Forms eventually expires and goes away (I think because of "Synchronized account expiration setting" in Forms). Now we have to tell the user to re-sign in to Forms so that it re-assigns a participant license (that it already has in LFDS, not sure why it doesn't keep it), then go in the process and resume the failed step.

If the user has an Educational User license in LFDS, it should keep this status in Forms, even if they are not able to be queried to identify if they are part of a group. If the last login determined that you were part of Group A and B, well you should continue to be part of group A and B until your next logon (when the Identity Provider sends the updated list of groups, if they changed). That way, the user permissions and licensing scheme will stay status quo and not cause headaches like we are running into with their expiring licenses.

0 0
replied on March 9, 2021

Hi Andrew,

Thank you for the detailed feedback. We have discussed ways to improve the experience of moving between multiple authentication methods, including combining more of the user management. There are technical reasons we started off separate, but as you note it's had some growing pains. We'll keep your feedback in mind as we continue to work on our identity providers going forward.

For now, we have some features that help bridge the gap:

- AD users can authenticate through a SAML provider using the feature proxied providers. The incoming SAML token must include AD information such as the user's AD SID and AD groups, which will be used to automatically map the user and ensure their AD groups are used for security.

- SAML groups and AD groups can be added to Laserfiche groups, then Laserfiche groups can be used throughout the system so that group-based membership.

 

As for showing SAML group membership in Laserfiche: SAML directories cannot be queried, so if Laserfiche cached grouped membership on the user level, it may become out of sync until next user login, and Laserfiche has no way to get this information in advance or update it between logins. 

It is possible to do some group-level synchronization using the SCIM protocol, which not all SAML providers support. We have not currently implemented the group aspect of SCIM since there have not been many requests that it would help with. If you are using SCIM and would want group sync, it would be helpful to know.

I'll bookmark this post and update when we have more definitive plans addressing the Laserfiche/SAML user divide.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...