search

imsweb / django-saml-sp

A Django application for running one or more SAML service providers (SP)
BSD 3-Clause "New" or "Revised" License
15 stars 10 forks source link

Add the sync of groups if provided from saml #15

Closed etiennepouliot closed 2 years ago

etiennepouliot commented 2 years ago

If we have an attribute mappings with a target of "groups", this patch will make sure that the group of the users are synched.

image
dcwatson commented 2 years ago

As it stands, I can't merge this -- I purposefully don't import django.contrib.auth.models directly anywhere, so everything works with custom user models. That said, I'm not opposed to adding something to support this, either:

  1. Provide some subclassing hooks for SAMLAuthenticationBackend so you can more easily subclass it and add this behavior yourself (or even bundle a separate backend that does this).
  2. Make SAMLAuthenticationBackend support saving mapped values to relation fields. This is a lot trickier, but could be done. In the case of User.groups, we'd see that it was a to-many relation, check the related model and see that there's just one required/unique field (name) and be able to do this updating without ever hard-coding "groups" or Group anywhere. It's a lot of somewhat fragile work though, so option 1 is probably an easier place to start.
dcwatson commented 2 years ago

There will be a number of places you can override the way users get updated now -- SAMLAuthenticationBackend.update_user, Idp.update_user_method, and the SP_UPDATE_USER setting. Closing this out in hopes one of them will work for you.