providers/scim: add option to ignore SCIM server cert (#11437)

Signed-off-by: Jens Langhammer <[email protected]>
goauthentik · Oct 14, 2024 · 075944a · 075944a
1 parent eb98af4
commit 075944a
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 0 deletions.
diff --git a/authentik/providers/scim/api/providers.py b/authentik/providers/scim/api/providers.py
@@ -26,6 +26,7 @@ class Meta:
             "verbose_name_plural",
             "meta_model_name",
             "url",
+            "verify_certificates",
             "token",
             "exclude_users_service_account",
             "filter_group",

diff --git a/authentik/providers/scim/clients/base.py b/authentik/providers/scim/clients/base.py
@@ -42,6 +42,7 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
     def __init__(self, provider: SCIMProvider):
         super().__init__(provider)
         self._session = get_http_session()
+        self._session.verify = provider.verify_certificates
         self.provider = provider
         # Remove trailing slashes as we assume the URL doesn't have any
         base_url = provider.url

diff --git a/authentik/providers/scim/migrations/0010_scimprovider_verify_certificates.py b/authentik/providers/scim/migrations/0010_scimprovider_verify_certificates.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.0.9 on 2024-09-19 14:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_scim", "0009_alter_scimmapping_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scimprovider",
+            name="verify_certificates",
+            field=models.BooleanField(default=True),
+        ),
+    ]
diff --git a/authentik/providers/scim/models.py b/authentik/providers/scim/models.py
@@ -68,6 +68,7 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
 
     url = models.TextField(help_text=_("Base URL to SCIM requests, usually ends in /v2"))
     token = models.TextField(help_text=_("Authentication token"))
+    verify_certificates = models.BooleanField(default=True)
 
     property_mappings_group = models.ManyToManyField(
         PropertyMapping,

diff --git a/blueprints/schema.json b/blueprints/schema.json
@@ -5956,6 +5956,10 @@
                     "title": "Url",
                     "description": "Base URL to SCIM requests, usually ends in /v2"
                 },
+                "verify_certificates": {
+                    "type": "boolean",
+                    "title": "Verify certificates"
+                },
                 "token": {
                     "type": "string",
                     "minLength": 1,

diff --git a/schema.yml b/schema.yml
@@ -47257,6 +47257,8 @@ components:
           type: string
           minLength: 1
           description: Base URL to SCIM requests, usually ends in /v2
+        verify_certificates:
+          type: boolean
         token:
           type: string
           minLength: 1
@@ -50479,6 +50481,8 @@ components:
         url:
           type: string
           description: Base URL to SCIM requests, usually ends in /v2
+        verify_certificates:
+          type: boolean
         token:
           type: string
           description: Authentication token
@@ -50562,6 +50566,8 @@ components:
           type: string
           minLength: 1
           description: Base URL to SCIM requests, usually ends in /v2
+        verify_certificates:
+          type: boolean
         token:
           type: string
           minLength: 1

diff --git a/web/src/admin/providers/scim/SCIMProviderForm.ts b/web/src/admin/providers/scim/SCIMProviderForm.ts
@@ -90,6 +90,23 @@ export class SCIMProviderFormPage extends BaseProviderForm<SCIMProvider> {
                             ${msg("SCIM base url, usually ends in /v2.")}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal name="verifyCertificates">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.verifyCertificates, true)}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Verify SCIM server's certificates")}</span
+                            >
+                        </label>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${msg("Token")}
                         ?required=${true}