-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sso-authentication errors when using allowed_groups #230
Comments
We are seeing the exact issue in our setup. We verified the configuration a couple of times (enabled organization-wide delegation etc.) but couldn't figure out why it's not working. The UI shows a screen with status Any idea how to proceed with this issue (we tried setting log level to |
Hi @namm2 (and @svenmueller!). Thanks for sending this through, and apologies for not getting back to you yet. I'll be taking some time next week to properly work through this and get back to you. Thank you both for your patience! |
Hi @namm2, Would you mind confirming that the email address set in the I believe you can find that information through the following steps: |
@Jusshersmith Thx for coming back to us. I just check the user and in our case the used GMail account has no roles or specific permissions applied. If that is required, which exact role/permission is expected? |
@svenmueller I'm sorry for the trouble. This is a quirk of the Google Admin API and a bit tricky to get right / explain. For some subsets of the Google Admin API (including the ones we require), Google requires that service accounts act on behalf of another user. https://stackoverflow.com/questions/48585700/is-it-possible-to-call-apis-from-service-account-without-acting-on-behalf-of-a-u/48601364#48601364 The account you are impersonating must have Admin API Access. See https://support.google.com/a/answer/60757. You can either create or choose an existing administrative email address to supply for the impersonate field for sso. As far as I know, this is the only way to enable this access and its akin to jumping through 🔥 hoops. |
I spent a long time fighting various issues like this today; after getting the account permissions correct we ran into: We're using the minddoc helm chart and the primary issue was the values.yaml:
|
@rlabrecque that option was introduced since #253 I believe it fixed this issue |
Describe the bug
So I'm having the following errors when use
allowed_groups
options:SSO configs:
And I already double checked the Oauth scopes mentioned in the docs, and
[email protected]
is the first level group (not the nested one). Any ideas?To Reproduce
allowed_groups
blockExpected behavior
Only members of the group
[email protected]
has access to the backend.Additional context
Additional SSO configs:
The text was updated successfully, but these errors were encountered: