Show More
@@ -11,11 +11,9 b' This method simply enables SAML authenti' | |||
|
11 | 11 | |
|
12 | 12 | |
|
13 | 13 | From the server RhodeCode Enterprise is running run ishell on the instance which we |
|
14 | want to apply the SAML migration: | |
|
14 | want to apply the SAML migration:: | |
|
15 | 15 |
|
|
16 | ``` | |
|
17 | 16 | rccontrol ishell enterprise-1 |
|
18 | ``` | |
|
19 | 17 | |
|
20 | 18 | Follow these steps to enable SAML authentication for multiple users. |
|
21 | 19 | |
@@ -26,32 +24,50 b' 1) Create a user_id => attribute mapping' | |||
|
26 | 24 | `saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google. |
|
27 | 25 | This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML |
|
28 | 26 | account to internal rhodecode user. |
|
29 |
For example, 123 is local rhodecode user_id, and '48253211' is |
|
|
27 | For example, 123 is local rhodecode user_id, and '48253211' is OneLogin ID. | |
|
30 | 28 | For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google |
|
29 | The most important this id needs to be unique for each user. | |
|
30 | ||
|
31 | .. code-block:: python | |
|
31 | 32 |
|
|
32 | 33 | In [1]: saml2user = { |
|
33 | 34 | ...: # OneLogin, uses externalID available to read from in the UI |
|
34 | 35 | ...: 123: {'id: '48253211'}, |
|
35 | ...: # for google use email | |
|
36 | ...: # for Google/DuoSecurity email is also an option for unique ID | |
|
36 | 37 | ...: 124: {'id: 'email@domain.com'}, |
|
37 | 38 | ...: } |
|
38 | 39 | |
|
39 | 2) Import the plugin you want to run migration for, pick only one and run the `import` statement | |
|
40 | # for duo security | |
|
40 | ||
|
41 | 2) Import the plugin you want to run migration for. | |
|
42 | ||
|
43 | From available options pick only one and run the `import` statement | |
|
44 | ||
|
45 | .. code-block:: python | |
|
46 | ||
|
47 | # for Duo Security | |
|
41 | 48 | In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin |
|
42 |
# for |
|
|
49 | # for OneLogin | |
|
43 | 50 | In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin |
|
44 | # generic saml | |
|
45 |
In [2]: from rc_auth_plugins.auth_ |
|
|
51 | # generic SAML plugin | |
|
52 | In [2]: from rc_auth_plugins.auth_saml import RhodeCodeAuthPlugin | |
|
53 | ||
|
54 | 3) Run the migration based on saml2user mapping. | |
|
46 | 55 | |
|
47 | 3) Run the migration based on saml2user mapping. Enter in the ishell prompt | |
|
56 | Enter in the ishell prompt | |
|
57 | ||
|
58 | .. code-block:: python | |
|
59 | ||
|
48 | 60 | In [3]: for user in User.get_all(): |
|
49 | 61 | ...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar() |
|
50 | 62 | ...: attrs = saml2user.get(user.user_id) |
|
51 | 63 | ...: provider = RhodeCodeAuthPlugin.uid |
|
52 |
...: if |
|
|
64 | ...: if existing_identity: | |
|
65 | ...: print('Identity for user `{}` already exists, skipping'.format(user.username)) | |
|
66 | ...: continue | |
|
67 | ...: if attrs: | |
|
68 | ...: external_id = attrs['id'] | |
|
53 | 69 | ...: new_external_identity = ExternalIdentity() |
|
54 |
...: new_external_identity.external_id = |
|
|
70 | ...: new_external_identity.external_id = external_id | |
|
55 | 71 | ...: new_external_identity.external_username = '{}-saml-{}'.format(user.username, user.user_id) |
|
56 | 72 | ...: new_external_identity.provider_name = provider |
|
57 | 73 | ...: new_external_identity.local_user_id = user_id |
@@ -60,7 +76,7 b' In [3]: for user in User.get_all():' | |||
|
60 | 76 | ...: new_external_identity.alt_token = '' |
|
61 | 77 | ...: Session().add(ex_identity) |
|
62 | 78 | ...: Session().commit() |
|
63 | ||
|
79 | ...: print('Set user `{}` external identity bound to ExternalID:{}'.format(user.username, external_id)) | |
|
64 | 80 | |
|
65 | 81 | .. note:: |
|
66 | 82 |
General Comments 0
You need to be logged in to leave comments.
Login now