auth-saml-bulk-enroll-users.rst
90 lines
| 3.5 KiB
| text/x-rst
|
RstLexer
| r3491 | .. _auth-saml-bulk-enroll-users-ref: | |||
| Bulk enroll multiple existing users | ||||
| ----------------------------------- | ||||
| RhodeCode Supports standard SAML 2.0 SSO for the web-application part. | ||||
| Below is an example how to enroll list of all or some users to use SAML authentication. | ||||
| This method simply enables SAML authentication for many users at once. | ||||
| From the server RhodeCode Enterprise is running run ishell on the instance which we | ||||
| r3493 | want to apply the SAML migration:: | |||
| r3491 | ||||
| r5505 | ./rcstack cli ishell | |||
| r3491 | ||||
| Follow these steps to enable SAML authentication for multiple users. | ||||
| 1) Create a user_id => attribute mapping | ||||
| `saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google. | ||||
| This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML | ||||
| account to internal rhodecode user. | ||||
| r3493 | For example, 123 is local rhodecode user_id, and '48253211' is OneLogin ID. | |||
| r3491 | For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google | |||
| r3493 | The most important this id needs to be unique for each user. | |||
| .. code-block:: python | ||||
| In [1]: saml2user = { | ||||
| ...: # OneLogin, uses externalID available to read from in the UI | ||||
| r3523 | ...: 123: {'id': '48253211'}, | |||
| r3493 | ...: # for Google/DuoSecurity email is also an option for unique ID | |||
| r3523 | ...: 124: {'id': 'email@domain.com'}, | |||
| r3493 | ...: } | |||
| r3491 | ||||
| r3493 | ||||
| 2) Import the plugin you want to run migration for. | ||||
| From available options pick only one and run the `import` statement | ||||
| .. code-block:: python | ||||
| r3491 | ||||
| r3493 | # for Duo Security | |||
| In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin | ||||
| r5505 | # for Azure Entra | |||
| In [2]: from rc_auth_plugins.auth_azure import RhodeCodeAuthPlugin | ||||
| r3493 | # for OneLogin | |||
| In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin | ||||
| # generic SAML plugin | ||||
| In [2]: from rc_auth_plugins.auth_saml import RhodeCodeAuthPlugin | ||||
| r3491 | ||||
| r3493 | 3) Run the migration based on saml2user mapping. | |||
| Enter in the ishell prompt | ||||
| .. code-block:: python | ||||
| r3491 | ||||
| r3493 | In [3]: for user in User.get_all(): | |||
| ...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar() | ||||
| ...: attrs = saml2user.get(user.user_id) | ||||
| ...: provider = RhodeCodeAuthPlugin.uid | ||||
| ...: if existing_identity: | ||||
| r5505 | ...: print(f'Identity for user `{user.username}` already exists, skipping') | |||
| r3493 | ...: continue | |||
| ...: if attrs: | ||||
| ...: external_id = attrs['id'] | ||||
| ...: new_external_identity = ExternalIdentity() | ||||
| ...: new_external_identity.external_id = external_id | ||||
| r5505 | ...: new_external_identity.external_username = f'{user.username}-saml-{user.user_id}' | |||
| r3493 | ...: new_external_identity.provider_name = provider | |||
| r3523 | ...: new_external_identity.local_user_id = user.user_id | |||
| r3493 | ...: new_external_identity.access_token = '' | |||
| ...: new_external_identity.token_secret = '' | ||||
| ...: new_external_identity.alt_token = '' | ||||
| ...: Session().add(ex_identity) | ||||
| ...: Session().commit() | ||||
| r5505 | ...: print(f'Set user `{user.username}` external identity bound to ExternalID:{external_id}') | |||
| r3491 | ||||
| .. note:: | ||||
| saml2user can be really big and hard to maintain in ishell. It's also possible | ||||
| to load it as a JSON file prepared before and stored on disk. To do so run:: | ||||
| import json | ||||
| saml2user = json.loads(open('/path/to/saml2user.json','rb').read()) | ||||
