Skip to content

saml: assign roles every login, to all orgs (#4225) #4284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
scudette merged 1 commit into from
Jun 12, 2025
Merged

saml: assign roles every login, to all orgs (#4225) #4284

scudette merged 1 commit into from
Jun 12, 2025

Conversation

@samdroid-apps
Copy link
Contributor

@samdroid-apps samdroid-apps commented Jun 6, 2025
edited
Loading

This PR updates the SAML authenticator to match the (more recently updated) OIDC authenticator.
Previously, the SAML authenticator only added roles to the root org, and only assigned roles during user creation.
Now it will add roles every login and to all orgs.

@CLAassistant
Copy link

CLAassistant commented Jun 6, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

samdroid-apps
samdroid-apps commented Jun 6, 2025
View reviewed changes
@scudette
Copy link
Contributor

scudette commented Jun 9, 2025

Since orgs are dynamically added and removed I dont think the right approach is to specify the orgs in the config file. The oidc provider just sets permissions in all orgs :

velociraptor/api/authenticators/claims.go

Line 73 in f7374f8

if self.authenticator.Claims == nil ||

The provider allows the IDP to set a roles claim and then adjust the ACLs based on this claim on all available orgs. For consistency we should implement this issue in the same way as oidc

Usually when roles are assigned through the IDP we want the user to have access to all orgs.

Perhaps we need a more flexible way to assign new users automatically - this can be achieved by having the authenticator fire an event and then setting up some server event monitoring query to actually add the user to the relevant orgs. This allows the orgs to be flexibly configured.

@samdroid-apps samdroid-apps changed the title Add saml_user_orgs config option (#4225) saml: assign roles every login, to all orgs (#4225) Jun 9, 2025
@samdroid-apps
Copy link
Contributor Author

samdroid-apps commented Jun 9, 2025

Great point @scudette. I've changed the approach of this PR to match SAML's behaviour to that of OIDC.

I was initially concerned that other velociraptor users might be relying on the SAML connector's root-only assignments for security. However, as long as this change is documented in any release notes, it should be fine.

Please take another look :)

@scudette scudette merged commit 48c6086 into Velocidex:master Jun 12, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@samdroid-apps @CLAassistant @scudette