Hello guys, We want to enable our users to login using Gooddata PGP SSO but we have some concerns on the security of the user that's we want to use for the API Login requests. Does user that does the PGP Login Request (https://{{ApiDomain}}/gdc/account/customerlogin) has to be domain admin? If so, what's the best way to keep that user secured? Thanks

Hi Luis, the user logging into the platform would be the user to make the call to sign in. So, no the domain admin will not make a call to login any other user. What exactly are your security concerns from your perspective? You can find information on our PGP SSO and its security HERE.

Hi Luis, as far as I understand the PGP SSO it works like this: • initial one-time setup ◦ you generate your public&private keypair (one for the whole solution) ◦ you configure the GoodData SSO Provider and place the public part of the keypair there ◦ you set your users to use this SSO provider ◦ (these last two poits are the only ones that need to be done by domain admin) • day to day operations ◦ for any existing GoodData user that you want to log in, your system (after verifying the user is properly logged in to your system) generates on the fly the “encryptedClaims” and redirects the user to the GoodData /customerlogin URL with this parameter ◦ GoodData verifies the encryptedclaims (validates with the public key that it was signed by you and decrypts using our private key) and if everything is OK, a valid GoodData session cookie is issued for that user Typically this claims generation is done by some back-end procedure on your end and only this tool should have access to your private key which never leaves that server. Only the individual encryotedClaims that are specific for each user and have limited time validity are securely transferred over the network. You can log in any GoodData user in your organization who has the proper SSO provider assigned to them. And you do not need to be logged-in as the domain (or any other user) to do it. The trust as far as I understand it is based on the fact that the encryptedClaims is cryptographically signed by your private key (which GoodData verifies using the associated public key which your domain admin set for that SSO provider). And its privacy is based on (apart from being transferred via HTTPS) the fact that its content is encrypted by our public key (so only GoodData can read it using the associated private key). I hope this helps.

Hello guys, thanks for the help!