OpenID Connect default group

Jakest

Member
Jan 3, 2020
8
2
23
36
Proxmox: 7.1-6
I'd like to set a default permissions group to my openid connect users. That way I can onboard users in one location and have a default restricted set of permissions in proxmox.

Has anyone had any success?
 
Hi,

That is currently not directly possible, I mean, one could use a systemd-timer/CRON script to do so periodically but that isn't exactly the same thing.

Often one can have many different user permission-classes in the same realm, which could interfere with such a functionallity.

Would you also have different permission classes used for the OIDC realm, or should that implied, or once added, group resemble just the base set of permissions everybody in this realm has?
If you could explain your use case for this a bit more in detail it could help us to see if there's another option available or what a good solution for this situation could be.
 
Ideally endgame? Would be, add user to SSO, SSO would control access to the web UI(deny user access who isn't allowed). All users who login via the SSO realm would have the same set of permissions.

That would allow me to onboard someone via SSO, and then they would be able to login to proxmox and do their thing, without another administrator having to login to each cluster and add permissions to each individual user

So definitely along the lines of 'or once added, group resemble just the base set of permissions everybody in this realm has' like you mentioned.
 
Ok, thanks for the elaboration, I get your use case and see also some value in making such things easier in Proxmox VE - but this needs a bit more thought to avoid over specializing it and having a sane integration with existing permission/user/group system, e.g., the first three options popping in my mind would be to either add such a group (list) once a new user gets added in a realm, the other would be to just imply it/them for all users, allowing to add/remove them for existing users too, the third would be to allow adding permissions to realms themselves, as those can effectively be a group of people.

I mean, for LDAP/AD we can already import groups and assigning people to them, with OIDC that's just not possible in a general way as such a thing is not part of the standard and vendors either use some custom stuff or just do not support it at all, a bit of a shame as that would be a relatively simple and already existing way to implement your use case.

If you want you can open an enhancement request over at https://bugzilla.proxmox.com/, but I'd figure that this would be a bit lower on the priority list, so do not expect to have that solved relatively soon. If you do so please also refer thos this thread for reference - thx!
 
Ok, thanks for the elaboration, I get your use case and see also some value in making such things easier in Proxmox VE - but this needs a bit more thought to avoid over specializing it and having a sane integration with existing permission/user/group system, e.g., the first three options popping in my mind would be to either add such a group (list) once a new user gets added in a realm, the other would be to just imply it/them for all users, allowing to add/remove them for existing users too, the third would be to allow adding permissions to realms themselves, as those can effectively be a group of people.

I mean, for LDAP/AD we can already import groups and assigning people to them, with OIDC that's just not possible in a general way as such a thing is not part of the standard and vendors either use some custom stuff or just do not support it at all, a bit of a shame as that would be a relatively simple and already existing way to implement your use case.

If you want you can open an enhancement request over at https://bugzilla.proxmox.com/, but I'd figure that this would be a bit lower on the priority list, so do not expect to have that solved relatively soon. If you do so please also refer thos this thread for reference - thx!
Hello Lamprecht, are there any Updates about importing role/groups or assigning (mapping groups) them to the people with the OIDC? Thank you.
 
Last edited:
Hi,
are there any Updates about importing groups and assigning (mapping groups) them to the people with the OIDC?
nothing concrete - FWICT nobody opened an enhancement request for this over at our bugzilla, albeit there's some request from December that seems to be relatively close to what you request (albeit not what the original OP requests with their add permissions to realms - which IMO isn't a bad idea)

https://bugzilla.proxmox.com/show_bug.cgi?id=4411
 
Ah funny, I just tried to set up OIDC for Proxmox and now I'm stumbling over this thread. Right now, the OIDC realm is indeed not too useful when you manage a lot of Proxmox instances, because for every user you'd need to manually configure the group memberships anyway.

@tls4's patch would be a good balance between convenience and security IMHO. Depending on which OIDC solution you're using you could just map the SSO's groups to existing Proxmox groups and then the user gets the necessary group(s) applied right upon login.
 
I am using ADFS with OIDC and importing users and groups through LDAP. In Proxmox, these are two different realms, I seem unable to connect the imported users with those logged on through ADFS. Have someone been able to do this?

We have created a claim rule in ADFS that sends sAMAccountName + Realm name (this is all in the same environment).

The reason I want this is that we have multiple departments and users who need (or should not have full admin access) different access levels.

BR GM
 
@gmbakken You're using ADFS with OIDC ? And it works at least for the basic (an AD/ADFS user can login to Proxmox through OIDC ?)
If yes can you open a new thread to explain how you've done that (there are several of us stumbling over ADFS as an OIDC provider)
If not read this other thread and see if you are in the same case
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!