Closed MAHDTech closed 1 month ago
One thing I forgot to mention was inside the Omni UI, on the settings page, I see a single label against my test user so it seems to be mapping only the first role
thats listed inside the SAML assertion.
Yeah. That looks like a new SAML variation that we don't handle correctly :upside_down_face:
It doesn't assign the role as it maps only the first role attribute from SAML.
You'll also need to set Omni flag --auth-saml-label-rules='{"groups": "groups"}'
to make Omni extract groups attribute.
Here it means extract attribute with name groups
into label saml.omni.sidero.dev/groups/<value>
Thanks!
I can confirm v0.35.0-beta.0-3-g7bd922a
that includes the PR works for both role
and groups
with Workspace ONE Access :+1:
Is there an existing issue for this?
Current Behavior
Hi, I am testing Omni
v0.35.0
with my SAML Provider VMware Workspace ONE AccessI have been able to login using SAML and create ACLs for individual users which work great once the user is assigned a role manually.
I'm having an issue with the automatic SAML rules to assign users to an Omni role based on a SAML
role
orgroups
in the SAML assertion.So far I have,
groups
androle
(see gist below)SAMLLabelRules.omni.sidero.dev
object (see gist below)The user is not being assigned any Omni role.
Any pointers where I've gone wrong here?
Expected Behavior
The user is assigned an Omni role based on their
groups
orrole
SAML Attribute.Steps To Reproduce
v0.35.0
I have a gist with the captured logs and a snippet from the SAML assertion reply available here
https://gist.github.com/MAHDTech/10c1f673a0f9b26cb46760e1658b2510
What browsers are you seeing the problem on?
Chrome
Anything else?
There are a few things that might be worth calling out;
ALL USERS
which are built-in and can't be modified