|
|
|
|
|
|
by cnuss
1627 days ago
|
|
|
great question yodon! generally speaking, no, there should be no security concerns checking this into a repo but some best practices would be recommended to follow:
- make the repo private
- protect the main branch
- require PRs and # approvals and/or add CODEOWNERS
- only allow individuals that need to edit with write/admin privileges
- having anybody with read-only access to the repo is unnecessary since SAML.to does the reading on behalf of the users if provisioning is needed, there would be a encrypted token for SCIM in the text of the file, but that token is encrypted by SAML.to AWS KMS, so checking an encrypted string into a file shouldn't be a huge concern for most also, SAML.to Premium allows users to maintain their own PKI and allows administrators to encrypt and sign according to their organizations requirements! on a final note, I'd entertain a feature request for "include" statements in the config file so CODEOWNERS could be leveraged nicely that's all I can think of for now. I'll get these best practices into the docs and I'd entertain any and all suggestions or thoughts! |
|
|