LogoLogo
HomeGitHub RepoBook Demo
dev
dev
  • About Quilt
  • Architecture
  • Mental Model
  • Metadata Management
  • Metadata Workflows
  • Quilt Platform (Catalog) User
    • About the Catalog
    • Bucket Browsing
    • Document Previews
    • Embeddable iFrames
    • Packaging Engine
    • Query
    • Quilt+ URIs
    • Qurator Omni
    • Search
    • Visualization & Dashboards
    • Advanced
      • Athena
      • Elasticsearch
      • Removing Stacks
  • Quilt Platform Administrator
    • Admin Settings UI
    • Catalog Configuration
    • Cross-Account Access
    • Enterprise Installs
    • quilt3.admin Python API
    • Advanced
      • Package Events
      • Private Endpoints
      • Restrict Access by Bucket Prefix
      • S3 Events via EventBridge
      • SSO Permissions Mapping
      • Tabulator
      • Troubleshooting
        • SSO Redirect Loop
    • Best Practices
      • GxP for Security & Compliance
      • Organizing S3 Buckets
  • Quilt Python SDK
    • Installation
    • Quick Start
    • Editing a Package
    • Uploading a Package
    • Installing a Package
    • Getting Data from a Package
    • Example: Git-like Operations
    • API Reference
      • quilt3
      • quilt3.Package
      • quilt3.Bucket
      • quilt3.hooks
      • Local Catalog
      • CLI, Environment
      • Known Limitations
      • Custom SSL Certificates
    • Advanced
      • Browsing Buckets
      • Filtering a Package
      • .quiltignore
      • Manipulating Manifests
      • Materialization
      • S3 Select
    • More
      • Changelog
      • Contributing
      • Frequently Asked Questions
      • Troubleshooting
  • Quilt Ecosystem Integrations
    • Benchling Packager
    • Event-Driven Packaging
    • Nextflow Plugin
Powered by GitBook
On this page
  • Overview
  • Configuration
  • Example

Was this helpful?

  1. Quilt Platform Administrator
  2. Advanced

SSO Permissions Mapping

PreviousS3 Events via EventBridgeNextTabulator

Last updated 2 months ago

Was this helpful?

This feature requires Quilt Platform version 1.54.0 or higher

Overview

This feature allows Quilt admin to configure what roles and admin flag value are assigned to the user who logs in via SSO based on the user's ID token claims.

The configuration can be set with quilt3.admin.sso_config.set() or with admin UI.

Note: Roles used by configuration can't be removed or renamed.

Note: The user who sets the configuration will never have their admin flag revoked.

Note: After configuration is set, any user who logs in via SSO can't be manually assigned roles or admin permissions.

Configuration

Warning: In schemas don't forget to add claims you want to check to required, because otherwise the schema will match any ID token even if these claims are missing.

Example

version: "1.0"
default_role: ReadQuiltBucket
mappings:
  - schema:
      type: object
      properties:
        email:
          const: admin@example.com
      required:
        - email
    roles:
      - ReadWriteQuiltBucket
    admin: true
  - schema:
      type: object
      properties:
        groups:
          type: array
          contains:
            const: rw
      required:
        - groups
    roles:
      - ReadWriteQuiltBucket
  1. user with email admin@example.com will have ReadWriteQuiltBucket role and admin flag set to true

  2. user with group rw will have ReadWriteQuiltBucket role and admin flag set to false (except the user with admin@example.com email)

  3. all other users will have ReadQuiltBucket role

Note: Unrecognized users will have their role set to the default_role, but their admin flag will be unchanged.

The configuration file is to be written in YAML and is defined by which includes descriptions of all the fields.

this JSON Schema
admin UI for setting SSO permissions mapping