New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Okta Group claims to set user role #15020
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to remove the Okta specific code
And change the logic so you specify the scope name for groups instead of hardcoded "groups"
And last, need to make the group name mapping configurable
@Jellyfrog shouldn't the "group" name line up with "role" names in LibreNMS? Or do want to require explicit mapping? Or should there be a "user group" concept in LibreNMS? |
Well since we don't have groups in LibreNMS, I think this is the best way atm. We cant expect people to create a group in AD called "admin" for example :) |
This pull request has been mentioned on LibreNMS Community. There might be relevant details there: https://community.librenms.org/t/saml2-group-mapping-giving-access-level/21356/2 |
I think code design is good now. Code style could use a clean up pass (I can tell you copied code from some older parts of LibreNMS). If I submit a cleanup, would you test it after? |
Remove some redundant safety checks Prevent bug where group name could contain a dot Use match statement save outside of setLevelFromClaim (it checks if there are changes before saving)
I'll give it a go to try it out on some other provider. |
I have put the refactored changes through our lower testing environments and it works as expected @murrant 🙏 |
Like I wrote on discord, this doesn't work at all for azuread. And I'm guessing it won't work for a lot of providers out there, need to test a few at least, else this will just lead to a billion questions. |
I noticed the gui is borked for the Groups->Roles mapping. I assume perhaps have to make a new config type rather than use ldap-groups and then make some type of javascript helper function to help with the populating the select boxes? We don't really ever look in the GUI but I guess it would be nice if it worked as expected. Should I have a go at this? |
So I did some more testing and github doesn't work This kinda means I'm against adding it in its current state, have to give it some thought. |
But it does work for Okta, which makes it pretty useful for shops with Okta with a fairly minor impact. I'm assuming getting all the other providers to work would involve some upstream work to get it all nicely abstracted to be generic |
As I understand it, the problem is that claims/groups do not work for providers other than Okta. Would it otherwise be possible to separate just the 'Default Role' part of this PR and merge that? That should work for all providers, and is a useful feature on it's own. |
Hmm it is hard to predict the upstream api. I'm uncertain if we should continue on this approach or try to set up a way to add per-provider code. Yes, extracting the default role would be be easily mergable. |
Is there any plan to add the default_role feature on the next version? Please add it is very useful for me. Thanks! |
This pull request has been mentioned on LibreNMS Community. There might be relevant details there: https://community.librenms.org/t/socialite-permissions/21656/2 |
This pull request has been mentioned on LibreNMS Community. There might be relevant details there: https://community.librenms.org/t/sso-not-showing-devices-after-set-up/21949/4 |
@peejaychilds roles have been merged, can you rebase this? |
replaced via #15592 |
Please give a short description what your pull request is for
Allow the Socialite Okta support to ask for groups claim, and then use those okta groups to map to User level's
DO NOT DELETE THE UNDERLYING TEXT
Please note
Testers
If you would like to test this pull request then please run:
./scripts/github-apply <pr_id>
, i.e./scripts/github-apply 5926
After you are done testing, you can remove the changes with
./scripts/github-remove
. If there are schema changes, you can ask on discord how to revert.