Short-lived certificates:Unix usernames and SSO identities

Hi there!

Is there any way around ensuring that UNIX usernames match the SSO identities as specified in the documentation? This doesn’t really work for me…

Kind regards.

Maybe someone else would know but I don’t think so. It definitely would be useful if we could use custom user attributes to specify which user they should log into in the target infrastructure.

If you need a short-term solution, on the target linux machine you could simply useradd new users with usernames of your email addresses, then give them sudo access to the real user so, when they log in, they just have to run sudo -u REAL_USER -i to get to their main user login shell. See https://serverfault.com/a/17827/408253

I think @michael and @matteo struggled with this as well.

Unfortunately there is no solution to that. The alternative here would be to not use the short-lived certificates. There you can choose the username, but with SSO they need to authenticate in some way the user for the certificate.

1 Like

I guess that’s a workaround, but not something I feel like doing. Thanks.

That’s unfortunate. I really wanted to use this in the most seamless way possible, which is SSO login, and not having to worry about inputting extra passwords or public keys. I guess it’s not currently possible.

Thank you everyone for your input.

1 Like

It will never be, they need a username to authenticate to… they could probably do user mappings, but it’s a lot more complex than it would be useful for.

Granted I don’t know how everything is built-in, how hard can it be to have a UI to map different UNIX usernames to specific SSO logins?

Of course, this would only work for very specific use cases, probably individual use cases, and not for large teams where everyone requests a different mapping. Other than that, it shouldn’t be that hard.

Not very hard, but it involves separate UIs and separate calls for this. Plus people will then want to allow based on the UNIX username and it’s not really their priority. Good feedback and feature suggestion.

I guess I could go with @Judge’s suggestion, and add a shell script to automatically switch from user A to user B without asking for passwords. It’s a bit of a workaround, but there’s no better way to automate this right now.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.