Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/tools/saml/users.php
Scott Gress 2d4e72ac7a
Alias JIT Saml "team" attribute to FLEET_JIT_USER_ROLE_FLEET_<FLEET ID> (#41402) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40642 

# Details

This PR adds `FLEET_JIT_USER_ROLE_FLEET_` as an expected Saml attribute
alongside `FLEET_JIT_USER_ROLE_TEAM_`.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
Tested with SimpleSAML SSO. 
- [x] Updated `users.php` to use both the new attribute and the old
attribute for a user, and was able to log in with that user and see them
created using JIT with the correct permissions
2026-03-13 08:34:29 -05:00

83 lines
4 KiB
PHP
Raw Blame History

<?php
$config = array(
'admin' => array(
'core:AdminPassword',
),
'example-userpass' => array(
'exampleauth:UserPass',
// username: sso_user
// password: user123#
'sso_user:user123#' => array(
'uid' => array('1'),
'eduPersonAffiliation' => array('group1'),
'displayname' => array('SSO User 1'),
'email' => 'sso_user@example.com',
),
'sso_user2:user123#' => array(
'uid' => array('2'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 2'),
'email' => 'sso_user2@example.com',
),
// sso_user_3_global_admin has FLEET_JIT_USER_ROLE_GLOBAL attribute to be added as global admin.
'sso_user_3_global_admin:user123#' => array(
'uid' => array('3'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 3'),
'email' => 'sso_user_3_global_admin@example.com',
'FLEET_JIT_USER_ROLE_GLOBAL' => 'admin',
),
// sso_user_4_team_maintainer has FLEET_JIT_USER_ROLE_FLEET_1 attribute to be added as maintainer
// of team with ID 1, its login will fail if team with ID 1 doesn't exist.
// It also uses the *older* attribute name to add the user to fleet #2 as an observer.
'sso_user_4_team_maintainer:user123#' => array(
'uid' => array('4'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 4'),
'email' => 'sso_user_4_team_maintainer@example.com',
'FLEET_JIT_USER_ROLE_FLEET_1' => 'maintainer',
'FLEET_JIT_USER_ROLE_TEAM_2' => 'observer',
),
// sso_user_5_team_admin has FLEET_JIT_USER_ROLE_TEAM_1 attribute to be added as admin
// of team with ID 1, its login will fail if team with ID 1 doesn't exist.
// It also sets FLEET_JIT_USER_ROLE_GLOBAL and FLEET_JIT_USER_ROLE_FLEET_2 to `null` which means
// Fleet will ignore such fields.
'sso_user_5_team_admin:user123#' => array(
'uid' => array('5'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 5'),
'email' => 'sso_user_5_team_admin@example.com',
'FLEET_JIT_USER_ROLE_TEAM_1' => 'admin',
'FLEET_JIT_USER_ROLE_GLOBAL' => 'null',
'FLEET_JIT_USER_ROLE_FLEET_2' => 'null',
),
// sso_user_6_global_observer has all FLEET_JIT_USER_ROLE_* attributes set to null, so it
// will be added as global observer (default).
'sso_user_6_global_observer:user123#' => array(
'uid' => array('6'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 6'),
'email' => 'sso_user_6_global_observer@example.com',
'FLEET_JIT_USER_ROLE_GLOBAL' => 'null',
'FLEET_JIT_USER_ROLE_FLEET_1' => 'null',
),
// sso_user_no_displayname does not have a displayName/fullName
'sso_user_no_displayname:user123#' => array(
'uid' => array('7'),
'eduPersonAffiliation' => array('group1'),
'email' => 'sso_user_no_displayname@example.com',
),
// sso_user_8_global_technician has FLEET_JIT_USER_ROLE_GLOBAL attribute to be added as global technician.
'sso_user_8_global_technician:user123#' => array(
'uid' => array('8'),
'eduPersonAffiliation' => array('group1'),
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' => array('SSO User 8'),
'email' => 'sso_user_8_global_technician@example.com',
'FLEET_JIT_USER_ROLE_GLOBAL' => 'technician',
),
),
);
Reference in a new issue View git blame Copy permalink