Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SAML Authorization (Role claims) #4479

Open
GastonMeghi opened this issue Sep 1, 2022 · 12 comments
Open

Add SAML Authorization (Role claims) #4479

GastonMeghi opened this issue Sep 1, 2022 · 12 comments
Assignees
@mstrhakr
Labels
enhancement Fixed - Please Verify & Close

Comments

@GastonMeghi
Copy link
Contributor

GastonMeghi commented Sep 1, 2022
edited
Loading

In order to use MeshCentral in large companies it would be great to get SAML authorization. With the SAML Claims the authentication message we could match the AD groups of the company to UserGroups and UserAuthorizations in MeshCentral, this would also restrict the creation of an account in MeshCentral to users that are not in the allowed groups.

Describe alternatives you've considered
Another alternative to avoid manually assigning users to groups would be automating it with meshctrl, but the use of SAML Role Claims would be definitely a cleaner and more scalable solution.
@si458
Copy link
Collaborator

si458 commented Sep 1, 2022

i think SAML is already included? - https://ylianst.github.io/MeshCentral/meshcentral/#generic-saml-setup

@GastonMeghi
Copy link
Contributor Author

Yes, it has SAML, which I have working now. But it's just the authentication part (make sure that the user is who he claims to be) but the feature request is for the Authorization part, like once the user is logged in, it would use the SAML Claims to add the users in the groups that they should be in and assign the permissions that they should have.

With the current SAML implementation one administrator has to manually give them access to the groups and restrict the user's permissions.

@theidlemonk
Copy link

I have a similar issue with this, unless I missed it in the docs. Is the SAML implementation for authentication only or is authorization included as well.

@Ylianst Ylianst self-assigned this Sep 2, 2022
@Ylianst
Copy link
Owner

Ylianst commented Sep 2, 2022

Right now, SAML is authentication only... however, I just added group authorization support for LDAP, I need to do the same for SAML. This is what I have for LDAP:

image

@Ylianst
Copy link
Owner

Ylianst commented Sep 3, 2022

I went into JumpCloud to see how I could have it send MeshCentral the list of user groups a user is part of when they login and that does not seem to be available.

image

You mention "AD groups" in your request, are you sure LDAP is not what you are looking for?

@mstrhakr
Copy link
Contributor

mstrhakr commented Sep 5, 2022

I'm working on this for OpenID Connect at the moment, I'm able to pull groups from Authelia and even verify required membership, but I'm not sure how to go about getting it to actually join the user to the groups. I'll put in a pull shortly for what I have working so far.

@mstrhakr
Copy link
Contributor

mstrhakr commented Sep 5, 2022

Working on this at #4506

@Ylianst Ylianst assigned mstrhakr and unassigned Ylianst Sep 6, 2022
@Ylianst
Copy link
Owner

Ylianst commented Sep 6, 2022
edited
Loading

The authStrategies will look like this in v1.0.83. Note the added "groups" section.

      "authStrategies": {
        "oidc": {
          "authorizationURL": "https://sso.server.com/api/oidc/authorization",
          "callbackURL": "https://mesh.server.com/oidc-callback",
          "clientid": "00000000-0000-0000-0000-000000000000",
          "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
          "issuer": "https://sso.server.com",
          "tokenURL": "https://sso.server.com/api/oidc/token",
          "userInfoURL": "https://sso.server.com/api/oidc/userinfo",
          "logoutURL": "https://sso.server.com/logout",
          "newAccounts": true,
          "groups": {
            "required": [ "groupA", "groupB", "groupC" ],
            "siteadmin": [ "groupA" ],
            "sync": {
              "enable": true,
              "filter": [ "groupB", "groupC" ]
            }
          }
        }
      }

@mstrhakr
Copy link
Contributor

mstrhakr commented Sep 9, 2022

Small update, this is working for OIDC, but I've made no progress on SAML yet.
I'm in the process of unifying all the OIDC compatible IdP's under one module. Namely Azure at the moment, but it will be in my plan to do the same for all the currently available options, including SAML versions where that's an option.

First I need to feel out SAML as I still haven't even used it, let alone programmed anything for it. I have a Keycloak instance running so I should be able to get started on this in the next few weeks.

@GastonMeghi
Copy link
Contributor Author

@mstrhakr

Thank you a lot for your collaboration to the project! just an small friendly question. How much time do you think it would take you to finish the SAML Authorization piece? If longer than two or three months I would have to think of a workaround using meshctrl and it would be a bit of a throw away code since I would like to fully handle this with SAML2.0.

@GastonMeghi
Copy link
Contributor Author

@mstrhakr
Just a friendly check, where you able to get some of it working? Really appreciate the work you guys do!

@tootai tootai mentioned this issue May 4, 2023
Closed
@exander77
Copy link

I have created a discussion, and maybe it is related to this. #5836
We have Azure AD SSO setup up, but groups don't load.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mstrhakr mstrhakr

Labels
enhancement Fixed - Please Verify & Close
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@si458 @theidlemonk @Ylianst @exander77 @GastonMeghi @mstrhakr