goauthentik
SCIM Group Filtering
Is your feature request related to a problem? Please describe. I am using Authentik to provision users and groups into a Netskope lab environment with required property mappings. While I can control which users are provisioned, it also sends over ALL groups associated to those users which flood the Netskope tenant with unnecessary groups unrelated to Netskope and other SCIM targets.
Describe the solution you'd like I would like to see a section for the SCIM provider configuration called Group Filtering placed below User Filtering and above Attribute mapping. This would allow an administrator to specify specific groups that would be provisioned. It could be similiar to AzureAD SCIM or Okta's group rules.
Describe alternatives you've considered Limiting the groups imported into Authentik via the AD sync, but that would limit the instance of Authentik to only handling Netskope SCIM, decreasing the value for Authentik.
Additional context None to remark.
I would like authentik to be able to filter scim groups and users. Meanwhile, I found an "ugly" workaround which works with AWS Identity Center:
- Update the groups scim mapping like:
allowed_groups = ["Admins", "Admins2","www"]
if group.name in allowed_groups:
return {
"displayName": group.name,
}
else:
return {
"displayName": " ",
}
Similar mapping works for users
Is there a way to skip the group mapping? I have tried to return None when the group does not meet the filtering criteria, but it fails with:
Stopping sync due to error: Error No mappings configured, caused by Group xxxx
Looking here, it seems that it just query for all groups.
I was thinking that it may be great to optionally pass some filtering options.
Could it be possible to create a new filters property and then run something like:
def get_object_qs(self, type: type[User | Group]) -> QuerySet[User | Group]:
provider_filters = get_provider_filters()
if type == User:
# Get queryset of all users with consistent ordering
base = User.objects.all().exclude_anonymous()
if self.exclude_users_service_account:
base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
type=UserTypes.INTERNAL_SERVICE_ACCOUNT
)
if self.filter_group:
base = base.filter(ak_groups__in=[self.filter_group])
# Filter users based on groups they belong to that match provider filters
group_filters = provider_filters.get(self.name.lower(), {})
if group_filters:
filtered_groups = Group.objects.filter(**group_filters)
base = base.filter(ak_groups__in=filtered_groups)
return base.order_by("pk")
if type == Group:
# Get the base queryset of all groups with consistent ordering
qs = Group.objects.all().order_by("pk")
# Apply the filter based on the provider's name
filters = provider_filters.get(self.name.lower(), {})
if filters:
qs = qs.filter(**filters)
return qs
raise ValueError(f"Invalid type {type}")
I have tested the above solution hardcoding the filters in code, and works quite well.
I know that the change is not trivial, and involves a lot of changes, but this would be a nice to have feature.
+1 still need this function as api /providers/scim_groups/{id}/ does not work
Current functionality: Is ignoring the group selection entirely but if this should be working will be multiple scim providers with different groups attached to main application. Same hack applies with custom provider mapping add each provider maping to application
This is also problematic for me being able to pick the groups is common with scim implemetnations
If case anyone missed it, there is a current workaround for this https://github.com/goauthentik/authentik/pull/13550#issuecomment-2738062003
If case anyone missed it, there is a current workaround for this #13550 (comment)
Turning this into an example for others... this is apparently what we can do today:
if group.name not in allowed_groups:
raise SkipObject
