SSO Group Sync
vCluster.Pro can be configured to allow for user authentication via Single-Sign-On (SSO). This feature allows for users who have a valid account on some other service (ex: GitHub), to authenticate and log into vCluster.Pro via that service. This is a great way for administrators to not need to manage individual users, however administrators still need a mechanism in place to ensure that these users have appropriate permissions applied. That is where SSO groups come into play.
Most, if not all, SSO providers allow for administrators of that service to configure data that
is shared with platforms authenticating against the provider. Perhaps most important of this
shared data, is a list of groups of which the authenticating user is a part of. Upon
authentication via SSO in vCluster.Pro, this group data is inspected, the user is automatically joined to any
Teams that include any of the provided group names in the SSO Groups as Members
field.
Any SSO group names that are not set in any Team's SSO Groups as Members
field will be
dynamically created as a new Team, with the group name automatically set in the SSO Groups as Members
field.
This group behavior allows administrators to create Teams in vCluster.Pro that correspond to teams (groups) in the SSO identity provider, set the appropriate policy for those Team(s) in vCluster.Pro, and for users to be automatically assigned the appropriate team, and thus privileges, upon logging in via SSO.
Creating a Team With SSO Group Membership
- Select the Users field on the left menu bar.
- Click the Teams button on the User Management screen.
- Click the button.
- In the drawer that appears from the right, give your new team a name by replacing the 'my-team' placeholder name, or by updating the manifest YAML 'metadata.name' field.
- In the Team Members tab enter any desired groups into the SSO Groups as Members field. You can add as many groups as you would like here. These group names must exactly match the group name that the SSO provider shares with vCluster.Pro during SSO authentication!
- Make any additional desired modifications to your new Team.
- Click on the button.