SAML Group Sync - Support group listings within single attribute

[mcbmoreno]

Hello, Running Bookstack version 0.30.2

I just successfully setup SAML via our GSuite domain but Bookstack isn't recognizing any GSuite groups so users do not get a role applied to their account when logging in.

Here are my SAML .env values: AUTH_METHOD=saml2 SAML2_NAME=Google SAML2_EMAIL_ATTRIBUTE=email SAML2_EXTERNAL_ID_ATTRIBUTE=uid SAML2_DISPLAY_NAME_ATTRIBUTES="firstName|lastName" SAML2_IDP_ENTITYID="https://accounts.google.com/o/saml2?idpid=C" SAML2_AUTOLOAD_METADATA=false SAML2_IDP_SSO="https://accounts.google.com/o/saml2/idp?idpid=C" SAML2_IDP_SLO="https://accounts.google.com/logout" SAML2_IDP_x509="-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

SAML2_USER_TO_GROUPS=true SAML2_GROUP_ATTRIBUTE=groups SAML2_REMOVE_FROM_GROUPS=true

Any ideas on how to get Bookstack to recognize GSuite groups?

Thanks.

[ssddanbrown]

Hi @mcbmoreno,

Have you setup matching groups in BookStack?

You can try setting SAML2_DUMP_USER_DETAILS=true in your .env file and see if you're getting the expected group values on the expected attribute from google.

[mcbmoreno]

This is the output when SAML2_DUMP_USER_DETAILS=true was added. Looks like it isn't passing groups?

{"id_from_idp":"jsmith@domain.com","attrs_from_idp":[],"attrs_after_parsing":{"external_id":"jsmith@domain.com","name":"jsmith@domain.com","email":"jsmith@domain.com,"saml_id":"jsmith@domain.com"}}

[ssddanbrown]

@mcbmoreno Looks like it.

I have no idea what configuration is available in Gsuite for this. This is probably the closest similar case I could quickly find: https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and-groups-with-saml/saml-gsuite/

[mcbmoreno]

Went a different route. In the Google Admin console when setting up the SAML connection you can choose some additional attributes to send. Groups was not one of them but Department is. Set SAML2_GROUP_ATTRIBUTE="department" in .env and if the value in the department matches the same name as a role in Bookstack everything applies fine.

Question though, say someone is a member of 2 departments so the department is passed via SAML as "IT,Staff". Is there a format that value can be password that Bookstack will identify it as two separate values and place the user in both the IT role and Staff role? I tried so far passing the value as IT, Staff and IT; Staff

but neither worked.

[ssddanbrown]

BookStack does support multiple SAML2 groups but it expects them as an array of group names; I'm not sure on the exact raw format but I'd guess you could not emulate it like so.

You can set multiple comma separated values in the "External Authentication ID" field of the role in BookStack. Therefore you could always do something hacky like have combined values listed in there, For example, for an "Staff" bookstack role:

Staff,IT; Staff,Admins; IT; Staff;

Of course not great to manage but a potential solution if there's only a few groups at play.

[mcbmoreno]

I think that will work but it looks like the External Authentication ID field in the Settings > Roles > select role, is not available when LDAP is not enabled?

[ssddanbrown]

@mcbmoreno Should also show when SAML auth is active.

[bendem]

Hello, we have the same problem using lemonldap, the groups field parsed by bookstack shows an array with a single string of groups separated by ;. Is there a specific separator to use or a config available to tell bookstack to split that string?

[ssddanbrown]

@bendem No way right now