search

Timshel / vaultwarden

Fork from dani-garcia/vaultwarden to add OpendID support.
GNU Affero General Public License v3.0
76 stars 12 forks source link

SSO and Organization Group Mapping #64

Closed michael-harman closed 3 months ago

michael-harman commented 3 months ago

Hi Tim,

I think I finally have a question that I wont magically figure out 1 hour after I leave a ticket...

Basically I am trying to get Group/Organization invitation mapping working with Keycloak. I have a decent sized user DB being imported into keycloak from an LDAP server (this part works fine). Where I am running into trouble is mapping those user groups to organization uuids and having them become members when they first sign in and create a vaultwarden account.

I have implemented this config as per your instructions:

Organization Mapping and Invitation

SSO_ORGANIZATIONS_INVIT=true SSO_ORGANIZATIONS_TOKEN_PATH=/groups SSO_ORGANIZATIONS_ALL_COLLECTIONS=true SSO_ORGANIZATIONS_ID_MAPPING="admins:f0c75cc2-fc39-42b5-a0d2-1f6b3464d662;"

My keycloak configuration should be appending the group information to the token as i have configured it to do so in the client scope mapper.

I am seeing no errors in the logs and the debug information doesn't show anything regarding the organization to group mapping.

Any advice would be appreciated, thanks!

michael-harman commented 3 months ago

[2024-06-07 02:08:35.131][vaultwarden::sso][INFO] Invitation to admins organization sent to myuser@myemail.com

Looks like its related to #48

I just have to manually confirm the person joining the organization.

Timshel commented 3 months ago

Hey,

I think you reversed the mapping and it should be : SSO_ORGANIZATIONS_ID_MAPPING="f0c75cc2-fc39-42b5-a0d2-1f6b3464d662:admins"

michael-harman commented 3 months ago

Should I be able to map multiple organizations and groups? For example admins to one org and moderators to another?

Timshel commented 3 months ago

Yes if you use ; as a separator.

michael-harman commented 3 months ago

That worked thank you. One last question I have and then I can close out this ticket.

Is it possible to import users and groups from SSO similar to how directory connector does where I can add users and groups to collections based off of LDAP? Thanks

Timshel commented 3 months ago

Is it possible to import users and groups from SSO similar to how directory connector does where I can add users and groups to collections based off of LDAP? Thanks

Not in anything I added.

But Vaultwarden list Directory connector as supported (never tried to use it).