SSO Permissions Mapping
This feature requires Quilt Platform version 1.54.0 or higher
Overview
This feature allows Quilt admin to configure what roles and admin flag value are assigned to the user who logs in via SSO based on the user's ID token claims.
The configuration can be set with quilt3.admin.sso_config.set()
or with admin UI.

Note: Roles used by configuration can't be removed or renamed.
Note: The user who sets the configuration will never have their admin flag revoked.
Note: After configuration is set, any user who logs in via SSO can't be manually assigned roles or admin permissions.
Configuration
The configuration file is to be written in YAML and is defined by this JSON Schema which includes descriptions of all the fields.
Warning: In schemas don't forget to add claims you want to check to
required
, because otherwise the schema will match any ID token even if these claims are missing.
Example
version: "1.0"
default_role: ReadQuiltBucket
mappings:
- schema:
type: object
properties:
email:
const: [email protected]
required:
- email
roles:
- ReadWriteQuiltBucket
admin: true
- schema:
type: object
properties:
groups:
type: array
contains:
const: rw
required:
- groups
roles:
- ReadWriteQuiltBucket
user with email
[email protected]
will haveReadWriteQuiltBucket
role and admin flag set to trueuser with group
rw
will haveReadWriteQuiltBucket
role and admin flag set to false (except the user with[email protected]
email)all other users will have
ReadQuiltBucket
role
Note: Unrecognized users will have their role set to the
default_role
, but their admin flag will be unchanged.
Last updated
Was this helpful?