Open magliok-wwt opened 3 weeks ago
Additional information:
Within my SAML Claim we configured these three fields to come across. It is desired to have these populate into the userClaim similar fields - based on the configuration setup in SSO
email => email given_name => firstName family_name => lastName
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ken.Maglio@wwt.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ken</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Maglio</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Related to issue https://github.com/appsmithorg/appsmith/issues/30520
@magliok-wwt we'll look into adding the claims to the user object. To disable the account update screen, I believe you can follow this guide https://docs.appsmith.com/getting-started/setup/instance-configuration/authentication/security-assertion-markup-language-saml/disable-update-account-info
Is there an existing issue for this?
Summary
In the current SSO implementation, you can specify additional attributes from the IDP to match fields already present in the userClaim object.
The idea is that if those are specified, AppSmith should use them during initial login and NOT prompt the user for email, first, and last name.
Additionally, if the user's information changes ( via the IDP ), these fields should be reflected within the AppSmith userClaim object. e.g. Ken changes to Kenneth.
Why should this be worked on?
The pages to set up SSO actually speak to this, and this would be a better User Experience. There is no way to update this information (userClaim) once provided by the user anywhere within AppSmith. At least if it's configured within SSO, it would update via the IDP into the userClaim