engelsystem
RFC: Engelsystem as an SSO provider
In the CCCV infra meeting the idea came up to use the Engelsystem as a SSO backend for event specific Grafana / Prometheus / Alertmanager / whatever to not have to add users to the CCCV SSO during an event / share basic auth credentials. Useful would be the limitation to allow only some angeltypes to use the external pages / the SSO.
Some additions:
- Of course only accepted angles of an angle-type shall be allowed in an role
- Its possible that an situation with two different SSO source of truths is created, which is not really helpful
- Not a great solution: SSO Chaining: CCCV SSO puts angles into a group ($Crew Core). $Crew Core and $Crew Guest Engel are allowed to use a certain service trough engelsystem SSO, implicitly creating a combination of CCCV SSO and Angle Type right association
For the subtitles kanboard we voiced interest in the past to obtain the angel-roles as a claim via platform SSO.
This would go in a similar direction, but instead using the engelsystem as IdP.
This would allow a few interesting additions:
- Smaller events without the hub could have some kind of authentication
- independece from hub sso
- infra monitoring doesn't end up in a circular dependency
- platform sso is unfortunately scarcely used and usually unavailable on day 1.
Useful would be the limitation to allow only some angeltypes to use the external pages / the SSO.
When going the OAuth/OIDC route this should be verified in the application (Grafana is in the wrong here by not implementing this).
