IAM/SSO Support with 3rd Party Directory | Voters

Equinix

Create

Roadmap

Administration

Changelog

IAM/SSO Support with 3rd Party Directory

planned / on deck

Robby GreenLeaf

We have many requests for IAM and SSO functionality as part of the platform.

September 1, 2020

Activity Feed

Sort by

Ravinder Braich

Merged in a post:

IAM roles and service accounts for devices

Marques Johansson

An enabling feature of the Amazon, Google, and other cloud APIs is that IAM roles can be ascribed and inherited by devices. This makes it possible for a Device provisioned through UserData to provision more devices (including storage or networking) or activate other related API features.
While these devices may be provisioned with a token allowing for such behaviors, that token must then be maintained.  IAM roles (default service accounts) allow for chosen devices to have true robot access to authorized actions of the API.  These devices do not need further API tokens grants, revocation, or rotation.  The identity of the node is known to the API service and it can therefor authorize the machine to make API calls, acting with the roles afforded that machine's service account.
AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Google: https://cloud.google.com/iam/docs/understanding-service-accounts

August 24, 2020

September 7, 2022

Dimitry Sanivsky

We need Azure SSO.

Francois-Xavier Jammes

As part of our migration to a new Identity service, we’re planning to add this capability to our product. We are discussing the details internally and we will communicate an ETA once we have one.

Zain Mujtaba

It looks like this has been planned since Nov 2020. When will this be in place?

Eran Guy

Please consider SCIM support as part of this effort- user provision/de-provision is important.

Greg Swift

Group sync/access mapping would be very nice to have as well!

Ravinder Braich

marked this post as

planned / on deck

Bob Fraser

marked this post as

under review

Robby GreenLeaf

Integrations:
SAML
Active Directory / Azure AD
LDAP
Google Auth
OKTA
Auth0
OneLogin
Ping Identity

Matt Johnson

AzureAD would be great!

Marques Johansson

This is very powerful when the API client wrappers are made aware of this. packngo.NewSession() could, for example, infer API access without the need for an explicit token. Packet nodes in Kubernetes clusters running deployments like CSI, CCM, ClusterAPI, and Crossplane would not require token based access, and could be deployed with a common set of access controls (a group), that can then be managed externally or internally if the access controls permits modifications to the relationship. Devices (service accounts) can only create devices (service accounts) with the same or less rights than they have.

→