user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Implement proper group mapping via SAML

Open Ma27 opened this issue 3 years ago • 2 comments

Fixes #561

As stated in the issue, it's not desirable to have a group called admin in the SAML backend which doesn't indicate to which service admin permissions are granted.

This is orthogonal to saml-attribute-mapping-group_mapping which simply maps all groups from a SAML attribute to Nextcloud groups, i.e. the attribute's value MUST contain a group called admin to make sure that users get admin rights in Nextcloud.

When enabled, the name of (another) attribute must be specified which contains a list of SAML-specific groups, e.g.

["nextcloud-admins", "nextcloud-marketing"]

that can be mapped to e.g.

["admin", "marketing"]

cc @jgallucci32, @kevinmccurdybrd, @blizzz

Ma27 avatar Sep 23 '22 08:09 Ma27

Did you see https://github.com/nextcloud/user_saml/pull/545 which is being in development?

blizzz avatar Sep 23 '22 10:09 blizzz

OK interesting, this wasn't referenced in #561. What I'm wondering is: why do you have separate groups for SAML and non-SAML? IIRC most applications have a simple mapping between users from $directory and existing groups (or newly created ones) which is what my solution does (in a more simple fashion and without any migration steps).

Woudl be interested in knowing the use-case behind that, though :)

Ma27 avatar Sep 26 '22 18:09 Ma27

Closing due to lack of interest.

Ma27 avatar Nov 26 '23 00:11 Ma27