search

appsmithorg / appsmith

Platform to build admin panels, internal tools, and dashboards. Integrates with 25+ databases and any API.
https://www.appsmith.com
Apache License 2.0
33.79k stars 3.64k forks source link

[Feature]: SSO Attribute Configuration for use in userClaim object #35798

Open magliok-wwt opened 3 weeks ago

magliok-wwt commented 3 weeks ago

Is there an existing issue for this?

Summary

In the current SSO implementation, you can specify additional attributes from the IDP to match fields already present in the userClaim object.

The idea is that if those are specified, AppSmith should use them during initial login and NOT prompt the user for email, first, and last name.

Additionally, if the user's information changes ( via the IDP ), these fields should be reflected within the AppSmith userClaim object. e.g. Ken changes to Kenneth.

Why should this be worked on?

The pages to set up SSO actually speak to this, and this would be a better User Experience. There is no way to update this information (userClaim) once provided by the user anywhere within AppSmith. At least if it's configured within SSO, it would update via the IDP into the userClaim

magliok-wwt commented 3 weeks ago

Additional information:

Within my SAML Claim we configured these three fields to come across. It is desired to have these populate into the userClaim similar fields - based on the configuration setup in SSO

key => value

email => email given_name => firstName family_name => lastName


<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ken.Maglio@wwt.com</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ken</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Maglio</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>
infinitetrooper commented 3 weeks ago

Related to issue https://github.com/appsmithorg/appsmith/issues/30520

Nikhil-Nandagopal commented 3 weeks ago

@magliok-wwt we'll look into adding the claims to the user object. To disable the account update screen, I believe you can follow this guide https://docs.appsmith.com/getting-started/setup/instance-configuration/authentication/security-assertion-markup-language-saml/disable-update-account-info