liz/wikijs-fork
liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: sync groups with SAML provider (#6299)

Browse Source 
* feat: added implementation for group mapping in SAML strategies

---------

Co-authored-by: Abderraouf El Gasser <abderraouf.elgasser@iktos.com>
Co-authored-by: Nicolas Giard <github@ngpixel.com>
This commit is contained in:
aelgasser 2023-11-20 22:59:33 +01:00 committed by GitHub
parent fd91caff1d
commit 38a46e68ea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
server/modules/authentication/saml/authentication.js
View File

@ -56,6 +56,26 @@ module.exports = {
picture: _.get(profile, conf.mappingPicture, '') picture: _.get(profile, conf.mappingPicture, '')
} }
}) })
// map users provider groups to wiki groups with the same name, and remove any groups that don't match
// Code copied from the LDAP implementation with a slight variation on the field we extract the value from
// In SAML v2 groups come in profile.attributes and can be 1 string or an array of strings
if (conf.mapGroups) {
const maybeArrayOfGroups = _.get(profile.attributes, conf.mappingGroups)
const groups = (maybeArrayOfGroups && !_.isArray(maybeArrayOfGroups)) ? [maybeArrayOfGroups] : maybeArrayOfGroups
if (groups && _.isArray(groups)) {
const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).map(g => g.id)
const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)
for (const groupId of _.difference(expectedGroups, currentGroups)) {
await user.$relatedQuery('groups').relate(groupId)
}
for (const groupId of _.difference(currentGroups, expectedGroups)) {
await user.$relatedQuery('groups').unrelate().where('groupId', groupId)
}
}
}
cb(null, user) cb(null, user)
} catch (err) { } catch (err) {
cb(err, null) cb(err, null)

12
server/modules/authentication/saml/definition.yml
View File

@ -162,3 +162,15 @@ props:
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture' default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string. hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
order: 43 order: 43
mapGroups:
type: Boolean
title: Map Groups
hint: Map groups matching names from the provider user groups. User Groups Field Mapping must also be defined for this to work. Note this will remove any groups the user has that doesn't match any group from the provider.
default: false
order: 44
mappingGroups:
title: User Groups Field Mapping
type: String
default: 'memberOf'
hint: The field storing the user groups attribute (when Map Groups is enabled). Can be a variable name or a URI-formatted string.
order: 45