In order to replace a traditional VPN (OpenVpn, Pritunl, etc...) for SSO interactive login

[Francois-YACOB]

Context :

• Netbird create an overlay network that contains peers
• peers have groups : from manual assignment, from auto-assigned by setup keys, from user group propagations, etc...
• groups are used to defined access policies

This is perfect from a network architecture perspective... and all of these settings are peer-centric, the groups are assigned to the peer and when the user connects the VPN through the IDP, there is no information used from the user.

Missing use case :

• in the scenario of shared computer, it makes sense that one user connects to the VPN and have some access policies based on its groups to be added to the peers.
• this user disconnects and another user login, the peer should now have different access policies if 2nd user have different groups.

Request for this feature :

• at SSO Login time, the groups at the user level is added to the peer, thus gives additional flexibility for access policies
• when user disconnects from the Netbird UI (or after login expiration), additional groups are removed from the peers

Objective :

• allowing some dynamic user-centrics groups policy makes Netbird more competitive to traditional VPN solution that are user profile centrics.
• from an architectural perspective, Netbird with peer-centric access policy is comparable to IPSEC site-to-site
• adding user group access policy will lead Netbird to be comparable to IPSEC/IKEV2 roadwarrior configuration and globally to compete with OpenVPN/Pritunl and other vendor VPN (Cisco connect, Sophos VPN)