Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement proper group mapping via SAML #659

Closed
wants to merge 1 commit into from
Closed

Implement proper group mapping via SAML #659

wants to merge 1 commit into from

Conversation

Ma27
Copy link

@Ma27 Ma27 commented Sep 23, 2022

Fixes #561

As stated in the issue, it's not desirable to have a group called admin in the SAML backend which doesn't indicate to which service admin permissions are granted.

This is orthogonal to saml-attribute-mapping-group_mapping which simply maps all groups from a SAML attribute to Nextcloud groups, i.e. the attribute's value MUST contain a group called admin to make sure that users get admin rights in Nextcloud.

When enabled, the name of (another) attribute must be specified which contains a list of SAML-specific groups, e.g.

["nextcloud-admins", "nextcloud-marketing"]

that can be mapped to e.g.

["admin", "marketing"]

cc @jgallucci32, @kevinmccurdybrd, @blizzz

@Ma27
Implement proper group mapping via SAML
6d0420c 
Fixes nextcloud#561

As stated in the issue, it's not desirable to have a group called
`admin` in the SAML backend which doesn't indicate to which service
admin permissions are granted.

This is orthogonal to `saml-attribute-mapping-group_mapping` which
simply maps all groups from a SAML attribute to Nextcloud groups, i.e.
the attribute's value MUST contain a group called `admin` to make sure
that users get admin rights in Nextcloud.

When enabled, the name of (another) attribute must be specified which
contains a list of SAML-specific groups, e.g.

    ["nextcloud-admins", "nextcloud-marketing"]

that can be mapped to e.g.

    ["admin", "marketing"]

Signed-off-by: Maximilian Bosch <[email protected]>
@blizzz
Copy link
Member

blizzz commented Sep 23, 2022

Did you see #545 which is being in development?

@Ma27
Copy link
Author

Ma27 commented Sep 26, 2022

OK interesting, this wasn't referenced in #561.
What I'm wondering is: why do you have separate groups for SAML and non-SAML? IIRC most applications have a simple mapping between users from $directory and existing groups (or newly created ones) which is what my solution does (in a more simple fashion and without any migration steps).

Woudl be interested in knowing the use-case behind that, though :)

@kevinmccurdybrd kevinmccurdybrd mentioned this pull request Oct 4, 2022
Closed
7 tasks
@kevinmccurdybrd kevinmccurdybrd mentioned this pull request Mar 31, 2023
Open
@Ma27
Copy link
Author

Ma27 commented Nov 26, 2023

Closing due to lack of interest.

@Ma27 Ma27 closed this Nov 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Grant Admin Rights to custom SAML group
2 participants
@Ma27 @blizzz