Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync groups with SAML provider #6299

Merged
merged 6 commits into from
Nov 20, 2023
Merged

Sync groups with SAML provider #6299

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ecd5300
feat: added implementation for group mapping in SAML strategies
Mar 27, 2023
e70c920
Merge branch 'requarks:main' into main
aelgasser Mar 27, 2023
ed1a027
Merge branch 'requarks:main' into main
aelgasser Nov 20, 2023
07bf686
chore: Update definition.yml
NGPixel Nov 20, 2023
104eff1
chore: Update authentication.js
NGPixel Nov 20, 2023
58d2b06
chore: Update definition.yml
NGPixel Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions server/modules/authentication/saml/authentication.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,26 @@ module.exports = {
picture: _.get(profile, conf.mappingPicture, '')
}
})

// map users provider groups to wiki groups with the same name, and remove any groups that don't match
// Code copied from the LDAP implementation with a slight variation on the field we extract the value from
// In SAML v2 groups come in profile.attributes and can be 1 string or an array of strings
if (conf.mapGroups) {
const maybeArrayOfGroups = _.get(profile.attributes, conf.mappingGroups)
const groups = (maybeArrayOfGroups && !_.isArray(maybeArrayOfGroups)) ? [maybeArrayOfGroups] : maybeArrayOfGroups

if (groups && _.isArray(groups)) {
const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).map(g => g.id)
const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)
for (const groupId of _.difference(expectedGroups, currentGroups)) {
await user.$relatedQuery('groups').relate(groupId)
}
for (const groupId of _.difference(currentGroups, expectedGroups)) {
await user.$relatedQuery('groups').unrelate().where('groupId', groupId)
}
}
}

cb(null, user)
} catch (err) {
cb(err, null)
Expand Down
12 changes: 12 additions & 0 deletions server/modules/authentication/saml/definition.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,3 +162,15 @@ props:
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
order: 43
mapGroups:
type: Boolean
title: Map Groups
hint: Map groups matching names from the provider user groups. User Groups Field Mapping must also be defined for this to work. Note this will remove any groups the user has that doesn't match any group from the provider.
default: false
order: 44
mappingGroups:
title: User Groups Field Mapping
type: String
default: 'memberOf'
hint: The field storing the user groups attribute (when Map Groups is enabled). Can be a variable name or a URI-formatted string.
order: 45