##// END OF EJS Templates
docs: updated bulk external identity set
marcink -
r3493:1c22d247 default
parent child Browse files
Show More
@@ -1,72 +1,88 b''
1 .. _auth-saml-bulk-enroll-users-ref:
1 .. _auth-saml-bulk-enroll-users-ref:
2
2
3
3
4 Bulk enroll multiple existing users
4 Bulk enroll multiple existing users
5 -----------------------------------
5 -----------------------------------
6
6
7
7
8 RhodeCode Supports standard SAML 2.0 SSO for the web-application part.
8 RhodeCode Supports standard SAML 2.0 SSO for the web-application part.
9 Below is an example how to enroll list of all or some users to use SAML authentication.
9 Below is an example how to enroll list of all or some users to use SAML authentication.
10 This method simply enables SAML authentication for many users at once.
10 This method simply enables SAML authentication for many users at once.
11
11
12
12
13 From the server RhodeCode Enterprise is running run ishell on the instance which we
13 From the server RhodeCode Enterprise is running run ishell on the instance which we
14 want to apply the SAML migration:
14 want to apply the SAML migration::
15
15
16 ```
16 rccontrol ishell enterprise-1
17 rccontrol ishell enterprise-1
18 ```
19
17
20 Follow these steps to enable SAML authentication for multiple users.
18 Follow these steps to enable SAML authentication for multiple users.
21
19
22
20
23 1) Create a user_id => attribute mapping
21 1) Create a user_id => attribute mapping
24
22
25
23
26 `saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google.
24 `saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google.
27 This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML
25 This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML
28 account to internal rhodecode user.
26 account to internal rhodecode user.
29 For example, 123 is local rhodecode user_id, and '48253211' is onelogin ID.
27 For example, 123 is local rhodecode user_id, and '48253211' is OneLogin ID.
30 For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google
28 For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google
29 The most important this id needs to be unique for each user.
30
31 .. code-block:: python
32
33 In [1]: saml2user = {
34 ...: # OneLogin, uses externalID available to read from in the UI
35 ...: 123: {'id: '48253211'},
36 ...: # for Google/DuoSecurity email is also an option for unique ID
37 ...: 124: {'id: 'email@domain.com'},
38 ...: }
31
39
32 In [1]: saml2user = {
40
33 ...: # OneLogin, uses externalID available to read from in the UI
41 2) Import the plugin you want to run migration for.
34 ...: 123: {'id: '48253211'},
42
35 ...: # for google use email
43 From available options pick only one and run the `import` statement
36 ...: 124: {'id: 'email@domain.com'},
44
37 ...: }
45 .. code-block:: python
38
46
39 2) Import the plugin you want to run migration for, pick only one and run the `import` statement
47 # for Duo Security
40 # for duo security
48 In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin
41 In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin
49 # for OneLogin
42 # for onelogin
50 In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin
43 In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin
51 # generic SAML plugin
44 # generic saml
52 In [2]: from rc_auth_plugins.auth_saml import RhodeCodeAuthPlugin
45 In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin
46
53
47 3) Run the migration based on saml2user mapping. Enter in the ishell prompt
54 3) Run the migration based on saml2user mapping.
48 In [3]: for user in User.get_all():
55
49 ...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar()
56 Enter in the ishell prompt
50 ...: attrs = saml2user.get(user.user_id)
57
51 ...: provider = RhodeCodeAuthPlugin.uid
58 .. code-block:: python
52 ...: if not existing_identity and attrs:
53 ...: new_external_identity = ExternalIdentity()
54 ...: new_external_identity.external_id = attrs['id']
55 ...: new_external_identity.external_username = '{}-saml-{}'.format(user.username, user.user_id)
56 ...: new_external_identity.provider_name = provider
57 ...: new_external_identity.local_user_id = user_id
58 ...: new_external_identity.access_token = ''
59 ...: new_external_identity.token_secret = ''
60 ...: new_external_identity.alt_token = ''
61 ...: Session().add(ex_identity)
62 ...: Session().commit()
63
59
60 In [3]: for user in User.get_all():
61 ...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar()
62 ...: attrs = saml2user.get(user.user_id)
63 ...: provider = RhodeCodeAuthPlugin.uid
64 ...: if existing_identity:
65 ...: print('Identity for user `{}` already exists, skipping'.format(user.username))
66 ...: continue
67 ...: if attrs:
68 ...: external_id = attrs['id']
69 ...: new_external_identity = ExternalIdentity()
70 ...: new_external_identity.external_id = external_id
71 ...: new_external_identity.external_username = '{}-saml-{}'.format(user.username, user.user_id)
72 ...: new_external_identity.provider_name = provider
73 ...: new_external_identity.local_user_id = user_id
74 ...: new_external_identity.access_token = ''
75 ...: new_external_identity.token_secret = ''
76 ...: new_external_identity.alt_token = ''
77 ...: Session().add(ex_identity)
78 ...: Session().commit()
79 ...: print('Set user `{}` external identity bound to ExternalID:{}'.format(user.username, external_id))
64
80
65 .. note::
81 .. note::
66
82
67 saml2user can be really big and hard to maintain in ishell. It's also possible
83 saml2user can be really big and hard to maintain in ishell. It's also possible
68 to load it as a JSON file prepared before and stored on disk. To do so run::
84 to load it as a JSON file prepared before and stored on disk. To do so run::
69
85
70 import json
86 import json
71 saml2user = json.loads(open('/path/to/saml2user.json','rb').read())
87 saml2user = json.loads(open('/path/to/saml2user.json','rb').read())
72
88
General Comments 0
You need to be logged in to leave comments. Login now