OpenID Connect default group
- Thread starter Jakest
- Start date
Hi,
That is currently not directly possible, I mean, one could use a systemd-timer/CRON script to do so periodically but that isn't exactly the same thing.
Often one can have many different user permission-classes in the same realm, which could interfere with such a functionallity.
Would you also have different permission classes used for the OIDC realm, or should that implied, or once added, group resemble just the base set of permissions everybody in this realm has?
If you could explain your use case for this a bit more in detail it could help us to see if there's another option available or what a good solution for this situation could be.
That is currently not directly possible, I mean, one could use a systemd-timer/CRON script to do so periodically but that isn't exactly the same thing.
Often one can have many different user permission-classes in the same realm, which could interfere with such a functionallity.
Would you also have different permission classes used for the OIDC realm, or should that implied, or once added, group resemble just the base set of permissions everybody in this realm has?
If you could explain your use case for this a bit more in detail it could help us to see if there's another option available or what a good solution for this situation could be.
Ideally endgame? Would be, add user to SSO, SSO would control access to the web UI(deny user access who isn't allowed). All users who login via the SSO realm would have the same set of permissions.
That would allow me to onboard someone via SSO, and then they would be able to login to proxmox and do their thing, without another administrator having to login to each cluster and add permissions to each individual user
So definitely along the lines of 'or once added, group resemble just the base set of permissions everybody in this realm has' like you mentioned.
That would allow me to onboard someone via SSO, and then they would be able to login to proxmox and do their thing, without another administrator having to login to each cluster and add permissions to each individual user
So definitely along the lines of 'or once added, group resemble just the base set of permissions everybody in this realm has' like you mentioned.
Ok, thanks for the elaboration, I get your use case and see also some value in making such things easier in Proxmox VE - but this needs a bit more thought to avoid over specializing it and having a sane integration with existing permission/user/group system, e.g., the first three options popping in my mind would be to either add such a group (list) once a new user gets added in a realm, the other would be to just imply it/them for all users, allowing to add/remove them for existing users too, the third would be to allow adding permissions to realms themselves, as those can effectively be a group of people.
I mean, for LDAP/AD we can already import groups and assigning people to them, with OIDC that's just not possible in a general way as such a thing is not part of the standard and vendors either use some custom stuff or just do not support it at all, a bit of a shame as that would be a relatively simple and already existing way to implement your use case.
If you want you can open an enhancement request over at https://bugzilla.proxmox.com/, but I'd figure that this would be a bit lower on the priority list, so do not expect to have that solved relatively soon. If you do so please also refer thos this thread for reference - thx!
I mean, for LDAP/AD we can already import groups and assigning people to them, with OIDC that's just not possible in a general way as such a thing is not part of the standard and vendors either use some custom stuff or just do not support it at all, a bit of a shame as that would be a relatively simple and already existing way to implement your use case.
If you want you can open an enhancement request over at https://bugzilla.proxmox.com/, but I'd figure that this would be a bit lower on the priority list, so do not expect to have that solved relatively soon. If you do so please also refer thos this thread for reference - thx!
Hello Lamprecht, are there any Updates about importing role/groups or assigning (mapping groups) them to the people with the OIDC? Thank you.
Last edited:
Hi,
https://bugzilla.proxmox.com/show_bug.cgi?id=4411
nothing concrete - FWICT nobody opened an enhancement request for this over at our bugzilla, albeit there's some request from December that seems to be relatively close to what you request (albeit not what the original OP requests with their add permissions to realms - which IMO isn't a bad idea)
https://bugzilla.proxmox.com/show_bug.cgi?id=4411
Hi Lamprecht, I submitted a patch [1] that implements groups sync with OIDC a couple months ago, but there's been no response on it yet. If applied, it would solve the issue in this thread with the current access control implementation (users/groups/permissions).
[1]: https://lore.proxmox.com/pve-devel/20240901165512.687801-1-thomas@atskinner.net/
[1]: https://lore.proxmox.com/pve-devel/20240901165512.687801-1-thomas@atskinner.net/
Ah funny, I just tried to set up OIDC for Proxmox and now I'm stumbling over this thread. Right now, the OIDC realm is indeed not too useful when you manage a lot of Proxmox instances, because for every user you'd need to manually configure the group memberships anyway.
@tls4's patch would be a good balance between convenience and security IMHO. Depending on which OIDC solution you're using you could just map the SSO's groups to existing Proxmox groups and then the user gets the necessary group(s) applied right upon login.
@tls4's patch would be a good balance between convenience and security IMHO. Depending on which OIDC solution you're using you could just map the SSO's groups to existing Proxmox groups and then the user gets the necessary group(s) applied right upon login.
Thanks for the reminder, we'll take a closer look at your patch.
I am using ADFS with OIDC and importing users and groups through LDAP. In Proxmox, these are two different realms, I seem unable to connect the imported users with those logged on through ADFS. Have someone been able to do this?
We have created a claim rule in ADFS that sends sAMAccountName + Realm name (this is all in the same environment).
The reason I want this is that we have multiple departments and users who need (or should not have full admin access) different access levels.
BR GM
We have created a claim rule in ADFS that sends sAMAccountName + Realm name (this is all in the same environment).
The reason I want this is that we have multiple departments and users who need (or should not have full admin access) different access levels.
BR GM
@gmbakken You're using ADFS with OIDC ? And it works at least for the basic (an AD/ADFS user can login to Proxmox through OIDC ?)
If yes can you open a new thread to explain how you've done that (there are several of us stumbling over ADFS as an OIDC provider)
If not read this other thread and see if you are in the same case
If yes can you open a new thread to explain how you've done that (there are several of us stumbling over ADFS as an OIDC provider)
If not read this other thread and see if you are in the same case
Sorry for the late response. We have just enrolled an edge site in Proxmox. I have only configured the Proxmox side for OIDC; we have a separate department that configured ADFS on the Windows server. I can ask the person who configured it over Christmas (he is OOF) if he did something special on the ADFS side (we had some issues but he said "2 sec" and then it worked).
Although now that we are running some production load on Proxmox it would be cool to have the realms work simultaneously. Now I must remove the LDAP config after sync to get ADFS to work. I may need to create a support ticket as we just got our licenses.
No problem, thanks for the reply.
I'm interested to know precisely how your collegue twiked ADFS to work
I'm interested to know precisely how your collegue twiked ADFS to work
