Closed MAHDTech closed 1 month ago
MAHDTech
commented
1 month ago One thing I forgot to mention was inside the Omni UI, on the settings page, I see a single label against my test user so it seems to be mapping only the first role thats listed inside the SAML assertion.
Unix4ever
commented
1 month ago Yeah. That looks like a new SAML variation that we don't handle correctly :upside_down_face:
It doesn't assign the role as it maps only the first role attribute from SAML.
Unix4ever
commented
1 month ago You'll also need to set Omni flag --auth-saml-label-rules='{"groups": "groups"}' to make Omni extract groups attribute.
Here it means extract attribute with name groups into label saml.omni.sidero.dev/groups/<value>
MAHDTech
commented
1 month ago Thanks!
I can confirm v0.35.0-beta.0-3-g7bd922a that includes the PR works for both role and groups with Workspace ONE Access :+1:
Is there an existing issue for this?
Current Behavior
Hi, I am testing Omni
v0.35.0with my SAML Provider VMware Workspace ONE AccessI have been able to login using SAML and create ACLs for individual users which work great once the user is assigned a role manually.
I'm having an issue with the automatic SAML rules to assign users to an Omni role based on a SAML
roleorgroupsin the SAML assertion.So far I have,
groupsandrole(see gist below)SAMLLabelRules.omni.sidero.devobject (see gist below)The user is not being assigned any Omni role.
Any pointers where I've gone wrong here?
Expected Behavior
The user is assigned an Omni role based on their
groupsorroleSAML Attribute.Steps To Reproduce
v0.35.0I have a gist with the captured logs and a snippet from the SAML assertion reply available here
https://gist.github.com/MAHDTech/10c1f673a0f9b26cb46760e1658b2510
What browsers are you seeing the problem on?
Chrome
Anything else?
There are a few things that might be worth calling out;
ALL USERSwhich are built-in and can't be modified