Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allows to customize SAML attributes #1344

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

mclegrand
Copy link

Context

As an admin trying to provide grist to people in my department, I do not control the institutional IdP response and would still like to directly use SAML login. Currently, the NameID mechanism for uid is fairly standard, but there is a variety of possible names for firstname, sn, and mail in various IdP, which are not used in saml2-js. saml2-js is currently in "maintenance mode" and does not seem to use env variables to determine custom attribute names (but exposes them all in user.attributes).

Proposed solution

Adds three environment variables:
 - GRIST_SAML_ATTR_FIRSTNAME
 - GRIST_SAML_ATTR_LASTNAME
 - GRIST_SAML_ATTR_EMAIL

so that the attributes coming from the IdP can be customized.

This allows from a variety of IdP to be used directly, including ones from educational institution with urn:oid (direct or aliased)

This would allow me to just add the variables with actual values from my IdP into the container env variables.

Has this been tested?

  • 👍 yes, I added tests to the test suite
  • 💭 no, because this PR is a draft and still needs work
  • 🙅 no, because this is not relevant here
  • 🙋 no, because I need help

I am not sure how to generate a local grist-oss docker image from the repo (I currently run docker run -d -p 8484:8484 -v ~/grist:/persist --env-file ~/grist/grist.env gristlabs/grist-oss).

Copy link
Collaborator

@fflorent fflorent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm.

I don't have the rights to merge. Also I would normally need to setup an environment with SAML.

Would it help you if I do that @dsagal (or anyone from GristLabs)? Or you have everything in place and would like to do that yourself?

app/server/lib/SamlConfig.ts Outdated Show resolved Hide resolved
Copy link
Member

@dsagal dsagal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. Unfortunately we don't have a good way to test SAML. @fflorent, if you are willing to set up an environment with SAML to test this with, it would indeed be very helpful.

app/server/lib/SamlConfig.ts Outdated Show resolved Hide resolved
@mclegrand
Copy link
Author

This looks good. Unfortunately we don't have a good way to test SAML. @fflorent, if you are willing to set up an environment with SAML to test this with, it would indeed be very helpful.

I can probably test it with my instance, but I'll just need some pointer on how to build a local grist-oss image from the repo

@mclegrand mclegrand reopened this Dec 19, 2024
@mclegrand mclegrand force-pushed the main branch 2 times, most recently from dc45f63 to a8dd567 Compare December 19, 2024 14:31
Adds three environment variables:
 - GRIST_SAML_ATTR_FIRSTNAME
 - GRIST_SAML_ATTR_LASTNAME
 - GRIST_SAML_ATTR_EMAIL

so that the attributes coming from the IdP can be customized.

This allows from a variety of IdP to be used directly, including
ones from educational institution with urn:oid (direct or aliased)
const fnameAttribute = process.env.GRIST_SAML_ATTR_FIRSTNAME || '';
const lnameAttribute = process.env.GRIST_SAML_ATTR_LASTNAME || '';
const emailAttribute = process.env.GRIST_SAML_ATTR_EMAIL || '';
const fname = samlUser.attributes[fnameAttribute] ||
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's definitely not lookup the key if the key is falsy. Otherwise, it actually could have a matching key in attributes and the value could be non-falsy. It would be weird to have one, but the kind of weirdness that can lead to exploits.

const lnameAttribute = process.env.GRIST_SAML_ATTR_LASTNAME || '';
const emailAttribute = process.env.GRIST_SAML_ATTR_EMAIL || '';
const fname = samlUser.attributes[fnameAttribute] ||
samlUser.given_name || samlUser.attributes.FirstName || '';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related question: if you set a variable like GRIST_SAML_ATTR_FIRSTNAME, would you expect the just that attribute would get used? If that attribute is empty, would you want it to fall back to looking at other attributes, or just use the empty value?

Copy link
Author

@mclegrand mclegrand Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess in theory "do not fallback" would make sense if the value is returned and returned empty, but I can't think of a case where the fallback values would also exist and differ (I have never seen an empty string saml response value)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants