sso icon indicating copy to clipboard operation
sso copied to clipboard

Published 20 hours ago verified publisher icon buzzfeed

How does the email addresses option play along with specified email domain

Open weeco opened this issue 6 years ago • 7 comments

One can define allowed Google email addresses by setting either the SSO_EMAIL_DOMAIN or SSO_EMAIL_ADDRESSES environment variable. One can also set both variables and I wonder if I correctly understand how it works.

My usecase:

In general I want to allow everyone with mycompany.com email addresses to login. Additionally we've got some external partners which are not allowed to have a mycompany.com email address but should be allowed to access our backend. Hence I thought I could easily setup:

SSO_EMAIL_DOMAIN = "mycompany.com"
SSO_EMAIL_ADDRESSES = "[email protected]"

Apparently this doesn't work as expected. Can someone explain why and what the expected behaviour is if you use both variables?

weeco avatar May 25 '19 22:05 weeco

Unfortunately, these variables can not be used together but rather expect to be used exclusively.

You could accomplish what you are looking for by exclusive using google groups and passing a wildcard for SSO_EMAIL_DOMAIN="*". You could then specify a default google group which includes all internal employees which would supplement the SSO_EMAIL_DOMAIN.

Secondly, you could override each upstreams for which you want to allow third-party users by specifying separate google groups for those upstreams.

jphines avatar May 29 '19 15:05 jphines

@jphines Thank you for your response. I opted for your first sugestion and it works as intended. However one thing to note is that it returns a 500 error on emails authenticated outside of this group. Instead I expected a regular Authentication denied reponse (which happened before when I specified the allowed email addresses)

weeco avatar Jun 18 '19 14:06 weeco

@weeco seems like a bug! I'll look into fixing it!

jphines avatar Jun 18 '19 14:06 jphines

@jphines I can not reproduce this anymore, it might have been an edge case or configuration issue. I don't think you need to spend time into it. Thank you for the support.

I'll leave this issue opened because I think it makes sense to add support for these options to be used together.

weeco avatar Jun 19 '19 09:06 weeco

I am also getting the same 500 error, cannot fetch user groups for an external user.

prestonvanloon avatar Nov 17 '19 19:11 prestonvanloon

Thinking about it more. The Google Service Account is not going to have access to non-org gmail account user group memberships, right?

prestonvanloon avatar Nov 17 '19 19:11 prestonvanloon

OK the 500 error eventually resolved itself as well...

prestonvanloon avatar Nov 17 '19 19:11 prestonvanloon