# Mark43 ## 07/01/2022 ### Technical Access & Issues We need Northapss to be able to parse the group id information in the JWT "We want Northpass to be able to support parsing a custom claim containing the Northpass group ID from the JWT used in SSO-based authentication. Mark43 (perhaps the TSE team) would be responsible for ensuring that new & existing SSO identity provider configurations (e.g., Azure AD) contain a custom property with the appropriate Northpass group ID for that customer." "We would need to have a separate method for customers who have no external identity provider configured (i.e., customers who authenticate with Northpass via their Mark43 application credentials). We currently have no automated way to link these users (whole departments, really) to a given Northpass group automatically" They don't want to do user management Previous company, LMS admin would talk to each person in the academy Michelle can't do that. Currently, she post's links on help center and then people sign up for the university on their own If we used token-based authentication, how do we keep out competitors? What happens with empty values (no identity provider) users and token based auth? If non-value users are allowed in, how do we keep out competitors? * OAuth 2.0 would work best for passing groups and IDs * We built out an Okta integration, it uses our default SAML * Okta provides group provisioning * Generically availble with anyone who uses OAuth 2.0 * For non-external IPs, there needs to be a single identity provider, such as Mark43 * Charlie Question: Is there a centralized place where all the information lives? With minor dev resources, we could set up API calls to constantly update their Northpass people and accounts * Whenever something is changed in their system, auto updated (i.e. someone changes departments) ## 7/26/22 ### Meeting with Brian re: SSO They have a lot of clients without SSO They are not an IDP, but are a service provider Non SSO users do a bulk upload into the Mark43 application which allows the user to sign in with an email/password and then sends them their 2FA code. In their ideal world, how would Mark43 like to access Northpass? * Ideally, non-SSO customers will have a username and account without Mark43 having to manage the users. * Accounts are then managed by their users in their application (sounds like customer application) * There would need to be a second instance for non-SSO users. Last CSM said Michelle can't do groups with their current SSO, and a NP Manager will still see other companies and agency names. There are some internal issues with customer discussions - colby, brian, michelle, and someone else? Security review needed internally Them setting up as an IDP is not out of the realm of possibilities, but they would have to have a discussion. They generally only handle the handshake one way, so this would be two way. They don't know if setting up an IDP is the "technological direction" they want to go in. Renewal - they will be wanting an instance of partners as well. They will need different content. Professional services leadership - karim and calvin Mark43 does have a database with all their user information, but that's the short answer. Long answer is that it isn't easily accessible. Charlie suggesting that using the data in the DB we could auto-provision groups for each agency and client. Michelle - meeting internally to discuss security for manager permissions Partner instance and SSO expectations * [X] Provide Brian with Documentation on what's possible with SSO and what's required of them * [X] Let Brian know if we integrate with B2C - Charlie replied saying we haven't had issues integrating with Azure or any Microsoft product ## 9/23/2022 ### Meeting with Michelle, Larry (CISO), Ryan (Senior Dev) * They are moving to Azure * Ryan to look into congregating users into Azure using OpenID Connect * Norm to set up Sandbox for Ryan * All depends on IDP and if it can be a single instance