I need some advice about Backend Roles vs SG Roles.
I am focusing on Proxy Authentication and after reading the manual my understanding is as follows:
When using a Proxy based authentication type, the user and her roles are provided by the proxy in the
x-proxy-rolesHTTP request headers. Both are assumed to be verified by a trusted server.
When using Proxy authentication the file
sg_internal_users.ymlis not needed, so I can forget about it. The user sent by the proxy is mapped with the SG Roles in the
The authorization backend type must be noop in this case: I do not have a LDAP server. As stated by the manual this means that the backend roles are not used at all. (Is it true ?)
My question is: what the
x-proxy-rolesheader is supposed to contain in this case ? - I am confused.
If it must contain a list of SG Roles names I am wondering how can the proxy server add the right names to the list, they are defined in the SG file sg_roles.yml and of course are not accessible to the proxy server
If it must contain a list of backend roles that SG will map to the corresponding SG Roles using the
sg_roles_mapping.ymlfile it would make sense, but my statement n. 3 above must be wrong.
May be I misunderstood the manual, of course.
Please help me