Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30
fleet/tools/saml/users.php

84 lines
4 KiB
PHP
Raw Normal View History

Set up Cypress testing for Teams/Tiers (#1005) - Update names/roles of users in `make e2e-setup`. - Update test SSO user info. - Add Cypress commands for seeding users/Teams. - Stub Cypress tests for team/tier matrix.
2021-06-09 18:56:59 +00:00
<?php
$config = array(
'admin' => array(
'core:AdminPassword',
),
'example-userpass' => array(
'exampleauth:UserPass',
// username: sso_user
// password: user123#
'sso_user:user123#' => array(
'uid' => array('1'),
'eduPersonAffiliation' => array('group1'),
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
'displayname' => array('SSO User 1'),
Set up Cypress testing for Teams/Tiers (#1005) - Update names/roles of users in `make e2e-setup`. - Update test SSO user info. - Add Cypress commands for seeding users/Teams. - Stub Cypress tests for team/tier matrix.
2021-06-09 18:56:59 +00:00
'email' => 'sso_user@example.com',
),
Add multiple users for SSO testing (#2885)
2021-11-10 23:15:41 +00:00
'sso_user2:user123#' => array(
'uid' => array('2'),
'eduPersonAffiliation' => array('group1'),
add back-end implementation for SSO JIT provisioning (#7182) Related to #7053, this uses the SSO config added in #7140 to enable JIT provisioning for premium instances.
2022-08-15 17:42:33 +00:00
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 2'),
Add multiple users for SSO testing (#2885)
2021-11-10 23:15:41 +00:00
'email' => 'sso_user2@example.com',
),
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
// sso_user_3_global_admin has FLEET_JIT_USER_ROLE_GLOBAL attribute to be added as global admin.
'sso_user_3_global_admin:user123#' => array(
'uid' => array('3'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 3'),
'email' => 'sso_user_3_global_admin@example.com',
'FLEET_JIT_USER_ROLE_GLOBAL' => 'admin',
),
Alias JIT Saml "team" attribute to FLEET_JIT_USER_ROLE_FLEET_<FLEET ID> (#41402) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40642 # Details This PR adds `FLEET_JIT_USER_ROLE_FLEET_` as an expected Saml attribute alongside `FLEET_JIT_USER_ROLE_TEAM_`. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually Tested with SimpleSAML SSO. - [x] Updated `users.php` to use both the new attribute and the old attribute for a user, and was able to log in with that user and see them created using JIT with the correct permissions
2026-03-13 13:34:29 +00:00
// sso_user_4_team_maintainer has FLEET_JIT_USER_ROLE_FLEET_1 attribute to be added as maintainer
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
// of team with ID 1, its login will fail if team with ID 1 doesn't exist.
Alias JIT Saml "team" attribute to FLEET_JIT_USER_ROLE_FLEET_<FLEET ID> (#41402) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40642 # Details This PR adds `FLEET_JIT_USER_ROLE_FLEET_` as an expected Saml attribute alongside `FLEET_JIT_USER_ROLE_TEAM_`. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually Tested with SimpleSAML SSO. - [x] Updated `users.php` to use both the new attribute and the old attribute for a user, and was able to log in with that user and see them created using JIT with the correct permissions
2026-03-13 13:34:29 +00:00
// It also uses the *older* attribute name to add the user to fleet #2 as an observer.
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
'sso_user_4_team_maintainer:user123#' => array(
'uid' => array('4'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 4'),
'email' => 'sso_user_4_team_maintainer@example.com',
Alias JIT Saml "team" attribute to FLEET_JIT_USER_ROLE_FLEET_<FLEET ID> (#41402) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40642 # Details This PR adds `FLEET_JIT_USER_ROLE_FLEET_` as an expected Saml attribute alongside `FLEET_JIT_USER_ROLE_TEAM_`. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually Tested with SimpleSAML SSO. - [x] Updated `users.php` to use both the new attribute and the old attribute for a user, and was able to log in with that user and see them created using JIT with the correct permissions
2026-03-13 13:34:29 +00:00
'FLEET_JIT_USER_ROLE_FLEET_1' => 'maintainer',
'FLEET_JIT_USER_ROLE_TEAM_2' => 'observer',
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
),
Accept and ignore SSO role attributes with null value (#11959) #10878 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-30 19:57:03 +00:00
// sso_user_5_team_admin has FLEET_JIT_USER_ROLE_TEAM_1 attribute to be added as admin
// of team with ID 1, its login will fail if team with ID 1 doesn't exist.
Alias JIT Saml "team" attribute to FLEET_JIT_USER_ROLE_FLEET_<FLEET ID> (#41402) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40642 # Details This PR adds `FLEET_JIT_USER_ROLE_FLEET_` as an expected Saml attribute alongside `FLEET_JIT_USER_ROLE_TEAM_`. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually Tested with SimpleSAML SSO. - [x] Updated `users.php` to use both the new attribute and the old attribute for a user, and was able to log in with that user and see them created using JIT with the correct permissions
2026-03-13 13:34:29 +00:00
// It also sets FLEET_JIT_USER_ROLE_GLOBAL and FLEET_JIT_USER_ROLE_FLEET_2 to `null` which means
Accept and ignore SSO role attributes with null value (#11959) #10878 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-30 19:57:03 +00:00
// Fleet will ignore such fields.
'sso_user_5_team_admin:user123#' => array(
'uid' => array('5'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 5'),
'email' => 'sso_user_5_team_admin@example.com',
'FLEET_JIT_USER_ROLE_TEAM_1' => 'admin',
'FLEET_JIT_USER_ROLE_GLOBAL' => 'null',
Alias JIT Saml "team" attribute to FLEET_JIT_USER_ROLE_FLEET_<FLEET ID> (#41402) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40642 # Details This PR adds `FLEET_JIT_USER_ROLE_FLEET_` as an expected Saml attribute alongside `FLEET_JIT_USER_ROLE_TEAM_`. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually Tested with SimpleSAML SSO. - [x] Updated `users.php` to use both the new attribute and the old attribute for a user, and was able to log in with that user and see them created using JIT with the correct permissions
2026-03-13 13:34:29 +00:00
'FLEET_JIT_USER_ROLE_FLEET_2' => 'null',
Accept and ignore SSO role attributes with null value (#11959) #10878 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-30 19:57:03 +00:00
),
// sso_user_6_global_observer has all FLEET_JIT_USER_ROLE_* attributes set to null, so it
// will be added as global observer (default).
'sso_user_6_global_observer:user123#' => array(
'uid' => array('6'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 6'),
'email' => 'sso_user_6_global_observer@example.com',
'FLEET_JIT_USER_ROLE_GLOBAL' => 'null',
Alias JIT Saml "team" attribute to FLEET_JIT_USER_ROLE_FLEET_<FLEET ID> (#41402) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #40642 # Details This PR adds `FLEET_JIT_USER_ROLE_FLEET_` as an expected Saml attribute alongside `FLEET_JIT_USER_ROLE_TEAM_`. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually Tested with SimpleSAML SSO. - [x] Updated `users.php` to use both the new attribute and the old attribute for a user, and was able to log in with that user and see them created using JIT with the correct permissions
2026-03-13 13:34:29 +00:00
'FLEET_JIT_USER_ROLE_FLEET_1' => 'null',
Accept and ignore SSO role attributes with null value (#11959) #10878 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-30 19:57:03 +00:00
),
SCIM + host integration (#27880) For #27284 This PR: - Adds SCIM as a fallback for username during macOS end user authentication during setup experience - Adds SCIM/endUsers details to host details # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality
2025-04-08 14:35:06 +00:00
// sso_user_no_displayname does not have a displayName/fullName
'sso_user_no_displayname:user123#' => array(
'uid' => array('7'),
'eduPersonAffiliation' => array('group1'),
'email' => 'sso_user_no_displayname@example.com',
),
Enable JIT provisioning for Technician role (#41286) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #41242 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually Configured SAML app in Okta following https://fleetdm.com/docs/deploy/single-sign-on-sso#okta (needs update): <img width="1069" height="790" alt="Screenshot 2026-03-10 at 9 10 05 AM" src="https://github.com/user-attachments/assets/7a160599-524e-4118-922b-5f9b601129eb" /> Defined a Custom SAML Attribute Statement following https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US. This is to add `FLEET_JIT_USER_ROLE_GLOBAL` to the default User profile. <img width="2536" height="1299" alt="Screenshot 2026-03-10 at 9 22 03 AM" src="https://github.com/user-attachments/assets/68193815-4abd-4a3b-9e95-147b1b3105d3" /> Within the new Okta app > Sign On tab, added this expression: <img width="765" height="444" alt="Screenshot 2026-03-10 at 9 35 41 AM" src="https://github.com/user-attachments/assets/40073cfc-931c-492e-bd5f-e8e89434b107" /> Within Okta, added a new user in Directory > People and assigned it to the new Okta app. <img width="1050" height="515" alt="Screenshot 2026-03-10 at 9 36 14 AM" src="https://github.com/user-attachments/assets/1b0a2847-208a-4251-8d9c-6bd0cba33d13" /> Logged in to fleet with the new user via SSO and verified its role is Technician: <img width="714" height="507" alt="Screenshot 2026-03-10 at 9 32 15 AM" src="https://github.com/user-attachments/assets/cf44d99c-78bc-4d7c-9f46-5c25fc745778" /> <img width="1356" height="339" alt="Screenshot 2026-03-10 at 9 37 11 AM" src="https://github.com/user-attachments/assets/baa028cb-6b3b-4c9b-b02e-ac2e16ec9262" /> For unreleased bug fixes in a release candidate, one of: - [x] Confirmed that the fix is not expected to adversely impact load test results - [ ] Alerted the release DRI if additional load testing is needed Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-10 13:15:01 +00:00
// sso_user_8_global_technician has FLEET_JIT_USER_ROLE_GLOBAL attribute to be added as global technician.
'sso_user_8_global_technician:user123#' => array(
'uid' => array('8'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 8'),
'email' => 'sso_user_8_global_technician@example.com',
'FLEET_JIT_USER_ROLE_GLOBAL' => 'technician',
),
Set up Cypress testing for Teams/Tiers (#1005) - Update names/roles of users in `make e2e-setup`. - Update test SSO user info. - Add Cypress commands for seeding users/Teams. - Stub Cypress tests for team/tier matrix.
2021-06-09 18:56:59 +00:00
),
);
Reference in a new issue Copy permalink