##// END OF EJS Templates
deps: bumped pycryptodome==3.21.0 for security issue
deps: bumped pycryptodome==3.21.0 for security issue

File last commit:

r5505:3fc95e3b default
r5640:acc4336c default
Show More
auth-saml-bulk-enroll-users.rst
90 lines | 3.5 KiB | text/x-rst | RstLexer
/ docs / auth / auth-saml-bulk-enroll-users.rst
docs: added example how to enroll multiple users to SAML.
r3491 .. _auth-saml-bulk-enroll-users-ref:
Bulk enroll multiple existing users
-----------------------------------
RhodeCode Supports standard SAML 2.0 SSO for the web-application part.
Below is an example how to enroll list of all or some users to use SAML authentication.
This method simply enables SAML authentication for many users at once.
From the server RhodeCode Enterprise is running run ishell on the instance which we
docs: updated bulk external identity set
r3493 want to apply the SAML migration::
docs: added example how to enroll multiple users to SAML.
r3491
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 ./rcstack cli ishell
docs: added example how to enroll multiple users to SAML.
r3491
Follow these steps to enable SAML authentication for multiple users.
1) Create a user_id => attribute mapping
`saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google.
This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML
account to internal rhodecode user.
docs: updated bulk external identity set
r3493 For example, 123 is local rhodecode user_id, and '48253211' is OneLogin ID.
docs: added example how to enroll multiple users to SAML.
r3491 For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google
docs: updated bulk external identity set
r3493 The most important this id needs to be unique for each user.
.. code-block:: python
In [1]: saml2user = {
...: # OneLogin, uses externalID available to read from in the UI
docs: updated saml bulk instructions
r3523 ...: 123: {'id': '48253211'},
docs: updated bulk external identity set
r3493 ...: # for Google/DuoSecurity email is also an option for unique ID
docs: updated saml bulk instructions
r3523 ...: 124: {'id': 'email@domain.com'},
docs: updated bulk external identity set
r3493 ...: }
docs: added example how to enroll multiple users to SAML.
r3491
docs: updated bulk external identity set
r3493
2) Import the plugin you want to run migration for.
From available options pick only one and run the `import` statement
.. code-block:: python
docs: added example how to enroll multiple users to SAML.
r3491
docs: updated bulk external identity set
r3493 # for Duo Security
In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 # for Azure Entra
In [2]: from rc_auth_plugins.auth_azure import RhodeCodeAuthPlugin
docs: updated bulk external identity set
r3493 # for OneLogin
In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin
# generic SAML plugin
In [2]: from rc_auth_plugins.auth_saml import RhodeCodeAuthPlugin
docs: added example how to enroll multiple users to SAML.
r3491
docs: updated bulk external identity set
r3493 3) Run the migration based on saml2user mapping.
Enter in the ishell prompt
.. code-block:: python
docs: added example how to enroll multiple users to SAML.
r3491
docs: updated bulk external identity set
r3493 In [3]: for user in User.get_all():
...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar()
...: attrs = saml2user.get(user.user_id)
...: provider = RhodeCodeAuthPlugin.uid
...: if existing_identity:
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 ...: print(f'Identity for user `{user.username}` already exists, skipping')
docs: updated bulk external identity set
r3493 ...: continue
...: if attrs:
...: external_id = attrs['id']
...: new_external_identity = ExternalIdentity()
...: new_external_identity.external_id = external_id
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 ...: new_external_identity.external_username = f'{user.username}-saml-{user.user_id}'
docs: updated bulk external identity set
r3493 ...: new_external_identity.provider_name = provider
docs: updated saml bulk instructions
r3523 ...: new_external_identity.local_user_id = user.user_id
docs: updated bulk external identity set
r3493 ...: new_external_identity.access_token = ''
...: new_external_identity.token_secret = ''
...: new_external_identity.alt_token = ''
...: Session().add(ex_identity)
...: Session().commit()
auth: updated saml docs, and re-order info on plugin details for easier setup
r5505 ...: print(f'Set user `{user.username}` external identity bound to ExternalID:{external_id}')
docs: added example how to enroll multiple users to SAML.
r3491
.. note::
saml2user can be really big and hard to maintain in ishell. It's also possible
to load it as a JSON file prepared before and stored on disk. To do so run::
import json
saml2user = json.loads(open('/path/to/saml2user.json','rb').read())