Using a web scraping library to automate provisioning/deprovisioning
Posted by Thesandman55@reddit | sysadmin | View on Reddit | 7 comments
So, let’s say there are services that gatekeep SSO/SAML integrations behind a paywall. What’s keeping me from creating a service account and making a couple python scripts that can log in and do the actions I want, like provisioning and deprovisioning? Or even assigning roles and what not. While not as secure or clean as a solution as SSO, I could at least get JIT provisioning going.
Some of these services even have internal APIs that do this (not sure how they monitor them but I would assume they check for origin or something to see if people are using it outside of their “allowed context)
While some services explicitly forbid web scrapping, I am assuming enterprise services are not heavily checking for web scrapping from internal services.
KindlyGetMeGiftCards@reddit
So you are going to actively break the terms of service then, the response is usually stuff around and find out. If said service cuts you off what is your backup plan, have that ready and planned out, or just do that instead.
Thesandman55@reddit (OP)
For the ones I really want to try this with is I can get a user license for like 20 bucks a month if not less. Just spin up a new workspace and give it a shot. Either that or I can do some sort of screen replay software on a laptop that does what I want. Really my goal is mainly to see how little work I can do day to day, not to build out some scalable system.
KindlyGetMeGiftCards@reddit
Sounds like you are doing lots of work to save your company $20.
Remember this is not your money and your time could do actual work to fix actual issues, not perceived issues.
theoriginalharbinger@reddit
SAML isn't provisioning (except to the extent that it's JIT provisioning). It isn't a deprovisioner. For that you'd have SCIM or whatever the vendor's API is, and oftentimes that API is also gatekept behind whatever SKU or license SSO is. And many applications don't even have the notion of a "service account." So - do you have something specific in mind?
There are solutions out there that use some combination of machine learning and UI scripts to automate provisioning and deprovisioning through a SCIM shim. Cerby, among others, uses this tech.
A few quick reasons why this is generally not a good idea:
1) Vendors will shut this own quickly
2) Are you trying to solve for SSO? Or for provisioning/deprovisioning? Many times this is one to satisfy audit requirements, and home-rolled stuff of this nature won't fly with actual auditors.
3) You... can't really meaningfully do SSO with proper roles using service accounts and scripting. Yes, you can do provisioning and deprovisioning operations this way. But that goes back to (2) - what are you actually trying to solve for here?
jimicus@reddit
Ye Gods, how to even begin to take this to pieces:
In short: Do not do it, do not even think about doing it, put ideas like this out of your head before you get your employer into deep shit.
localtuned@reddit
Test it and see. Try something simple like getting the devices hostname or FDE status.
Naive_Ambassador5766@reddit
pay them or ditch them. don't do these silly things.