Skip to content

Expose SAML SSO groups to Dashboard #6041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 25, 2025
Merged

Expose SAML SSO groups to Dashboard #6041

merged 4 commits into from
Sep 25, 2025

Conversation

hardillb
Copy link
Contributor

@hardillb hardillb commented Sep 19, 2025
edited
Loading

fixes #5902

Description

If enabled in the SSO provider settings this adds the list of groups to the FlowFuse User object on each SSO login.

This can then be retrieved by the nr-launcher middleware when using FF Authentication and exposed to the Dashboard

depends on FlowFuse/nr-launcher#389

DO NOT MERGE BEFORE #6003 as it contains db migration

Related Issue(s)

#5902

Checklist

  • I have read the contribution guidelines
  • Suitable unit/system level tests have been added and they pass
  • Documentation has been updated
    • Upgrade instructions
    • Configuration details
    • Concepts
  • Changes flowforge.yml?
    • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
    • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
  • Link to Changelog Entry PR, or note why one is not needed.

Labels

  • Includes a DB migration? -> add the area:migration label

@hardillb hardillb added this to the 2.22 milestone Sep 19, 2025
@hardillb hardillb requested a review from knolleary September 19, 2025 16:45
@hardillb hardillb self-assigned this Sep 19, 2025
@hardillb hardillb added the area:migration Involves a database migration label Sep 19, 2025
@codecov Codecov
Copy link

codecov bot commented Sep 19, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 30.76923% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.69%. Comparing base (1407081) to head (a80f316).
⚠️ Report is 9 commits behind head on main.

Files with missing lines Patch % Lines
forge/ee/routes/sso/auth.js 0.00% 7 Missing ⚠️
forge/ee/lib/sso/index.js 0.00% 6 Missing ⚠️
forge/db/models/User.js 50.00% 4 Missing ⚠️
...b/migrations/20250919-01-add-sso-groups-session.js 80.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6041      +/-   ##
==========================================
- Coverage   76.75%   76.69%   -0.07%     
==========================================
  Files         378      379       +1     
  Lines       18967    18993      +26     
  Branches     4516     4522       +6     
==========================================
+ Hits        14559    14567       +8     
- Misses       4408     4426      +18
Flag Coverage Δ
backend 76.69% <30.76%> (-0.07%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

knolleary
knolleary requested changes Sep 24, 2025
View reviewed changes
Copy link
Member

@knolleary knolleary left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple additional changes needed:

  1. The 'provision new user on login' route needs updating to capture the group info (the else case around line 109 in forge/ee/routes/sso/auth.js
  2. The groupAssertionName property is only visible if the 'manage group membership' option is enabled. The value gets reset to blank if that option is toggled off. So as it stands, no way to enable this feature without also enabling manage group membership. Suggest the quick fix is to move the new option under the manage group membership option for now. We can move it out as an independent option if the need arises in the future,

@hardillb
Fixes from review
e8eaf9f 
move sso settings toggle to under groups setttings

Ensure new users are populated when created via SSO
@hardillb hardillb requested a review from knolleary September 24, 2025 08:28
@joepavitt joepavitt moved this to Review in 🛠 Development Sep 24, 2025
@knolleary knolleary merged commit 62564ff into main Sep 25, 2025
22 of 23 checks passed
@knolleary knolleary deleted the expose-saml-groups branch September 25, 2025 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knolleary knolleary knolleary approved these changes

Assignees

@hardillb hardillb

Labels

area:migration Involves a database migration

Projects

🛠 Development
Status: Review

Milestone

2.22

Development

Successfully merging this pull request may close these issues.

SAML group assertions in _client.user object

2 participants

@hardillb @knolleary