Add SAML Authorization (Role claims)

[GastonMeghi]

In order to use MeshCentral in large companies it would be great to get SAML authorization. With the SAML Claims the authentication message we could match the AD groups of the company to UserGroups and UserAuthorizations in MeshCentral, this would also restrict the creation of an account in MeshCentral to users that are not in the allowed groups.

Describe alternatives you've considered Another alternative to avoid manually assigning users to groups would be automating it with meshctrl, but the use of SAML Role Claims would be definitely a cleaner and more scalable solution.

[si458]

i think SAML is already included? - https://ylianst.github.io/MeshCentral/meshcentral/#generic-saml-setup

[GastonMeghi]

Yes, it has SAML, which I have working now. But it's just the authentication part (make sure that the user is who he claims to be) but the feature request is for the Authorization part, like once the user is logged in, it would use the SAML Claims to add the users in the groups that they should be in and assign the permissions that they should have.

With the current SAML implementation one administrator has to manually give them access to the groups and restrict the user's permissions.

[theidlemonk]

I have a similar issue with this, unless I missed it in the docs. Is the SAML implementation for authentication only or is authorization included as well.

[Ylianst]

Right now, SAML is authentication only... however, I just added group authorization support for LDAP, I need to do the same for SAML. This is what I have for LDAP:

[Ylianst]

I went into JumpCloud to see how I could have it send MeshCentral the list of user groups a user is part of when they login and that does not seem to be available.

You mention "AD groups" in your request, are you sure LDAP is not what you are looking for?

[mstrhakr]

I'm working on this for OpenID Connect at the moment, I'm able to pull groups from Authelia and even verify required membership, but I'm not sure how to go about getting it to actually join the user to the groups. I'll put in a pull shortly for what I have working so far.

[mstrhakr]

Working on this at #4506

[Ylianst]

The authStrategies will look like this in v1.0.83. Note the added "groups" section.

      "authStrategies": {
        "oidc": {
          "authorizationURL": "https://sso.server.com/api/oidc/authorization",
          "callbackURL": "https://mesh.server.com/oidc-callback",
          "clientid": "00000000-0000-0000-0000-000000000000",
          "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
          "issuer": "https://sso.server.com",
          "tokenURL": "https://sso.server.com/api/oidc/token",
          "userInfoURL": "https://sso.server.com/api/oidc/userinfo",
          "logoutURL": "https://sso.server.com/logout",
          "newAccounts": true,
          "groups": {
            "required": [ "groupA", "groupB", "groupC" ],
            "siteadmin": [ "groupA" ],
            "sync": {
              "enable": true,
              "filter": [ "groupB", "groupC" ]
            }
          }
        }
      }

[mstrhakr]

Small update, this is working for OIDC, but I've made no progress on SAML yet. I'm in the process of unifying all the OIDC compatible IdP's under one module. Namely Azure at the moment, but it will be in my plan to do the same for all the currently available options, including SAML versions where that's an option.

First I need to feel out SAML as I still haven't even used it, let alone programmed anything for it. I have a Keycloak instance running so I should be able to get started on this in the next few weeks.

[GastonMeghi]

@mstrhakr

Thank you a lot for your collaboration to the project! just an small friendly question. How much time do you think it would take you to finish the SAML Authorization piece? If longer than two or three months I would have to think of a workaround using meshctrl and it would be a bit of a throw away code since I would like to fully handle this with SAML2.0.

[GastonMeghi]

@mstrhakr Just a friendly check, where you able to get some of it working? Really appreciate the work you guys do!

[exander77]

I have created a discussion, and maybe it is related to this. https://github.com/Ylianst/MeshCentral/discussions/5836 We have Azure AD SSO setup up, but groups don't load.