-
-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allows to customize SAML attributes #1344
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm.
I don't have the rights to merge. Also I would normally need to setup an environment with SAML.
Would it help you if I do that @dsagal (or anyone from GristLabs)? Or you have everything in place and would like to do that yourself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. Unfortunately we don't have a good way to test SAML. @fflorent, if you are willing to set up an environment with SAML to test this with, it would indeed be very helpful.
I can probably test it with my instance, but I'll just need some pointer on how to build a local |
dc45f63
to
a8dd567
Compare
Adds three environment variables: - GRIST_SAML_ATTR_FIRSTNAME - GRIST_SAML_ATTR_LASTNAME - GRIST_SAML_ATTR_EMAIL so that the attributes coming from the IdP can be customized. This allows from a variety of IdP to be used directly, including ones from educational institution with urn:oid (direct or aliased)
const fnameAttribute = process.env.GRIST_SAML_ATTR_FIRSTNAME || ''; | ||
const lnameAttribute = process.env.GRIST_SAML_ATTR_LASTNAME || ''; | ||
const emailAttribute = process.env.GRIST_SAML_ATTR_EMAIL || ''; | ||
const fname = samlUser.attributes[fnameAttribute] || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's definitely not lookup the key if the key is falsy. Otherwise, it actually could have a matching key in attributes
and the value could be non-falsy. It would be weird to have one, but the kind of weirdness that can lead to exploits.
const lnameAttribute = process.env.GRIST_SAML_ATTR_LASTNAME || ''; | ||
const emailAttribute = process.env.GRIST_SAML_ATTR_EMAIL || ''; | ||
const fname = samlUser.attributes[fnameAttribute] || | ||
samlUser.given_name || samlUser.attributes.FirstName || ''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related question: if you set a variable like GRIST_SAML_ATTR_FIRSTNAME
, would you expect the just that attribute would get used? If that attribute is empty, would you want it to fall back to looking at other attributes, or just use the empty value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess in theory "do not fallback" would make sense if the value is returned and returned empty, but I can't think of a case where the fallback values would also exist and differ (I have never seen an empty string saml response value)
Context
As an admin trying to provide grist to people in my department, I do not control the institutional IdP response and would still like to directly use SAML login. Currently, the NameID mechanism for uid is fairly standard, but there is a variety of possible names for firstname, sn, and mail in various IdP, which are not used in saml2-js. saml2-js is currently in "maintenance mode" and does not seem to use env variables to determine custom attribute names (but exposes them all in user.attributes).
Proposed solution
This would allow me to just add the variables with actual values from my IdP into the container env variables.
Has this been tested?