docs: added example how to enroll multiple users to SAML.
marcink -
r3491:6b5497ed default
Not Reviewed
Show More
Add another comment
TODOs: 0 unresolved 0 Resolved
COMMENTS: 0 General 0 Inline
@@ -0,0 +1,72
1 .. _auth-saml-bulk-enroll-users-ref:
2
3
4 Bulk enroll multiple existing users
5 -----------------------------------
6
7
8 RhodeCode Supports standard SAML 2.0 SSO for the web-application part.
9 Below is an example how to enroll list of all or some users to use SAML authentication.
10 This method simply enables SAML authentication for many users at once.
11
12
13 From the server RhodeCode Enterprise is running run ishell on the instance which we
14 want to apply the SAML migration:
15
16 ```
17 rccontrol ishell enterprise-1
18 ```
19
20 Follow these steps to enable SAML authentication for multiple users.
21
22
23 1) Create a user_id => attribute mapping
24
25
26 `saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google.
27 This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML
28 account to internal rhodecode user.
29 For example, 123 is local rhodecode user_id, and '48253211' is onelogin ID.
30 For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google
31
32 In [1]: saml2user = {
33 ...: # OneLogin, uses externalID available to read from in the UI
34 ...: 123: {'id: '48253211'},
35 ...: # for google use email
36 ...: 124: {'id: 'email@domain.com'},
37 ...: }
38
39 2) Import the plugin you want to run migration for, pick only one and run the `import` statement
40 # for duo security
41 In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin
42 # for onelogin
43 In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin
44 # generic saml
45 In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin
46
47 3) Run the migration based on saml2user mapping. Enter in the ishell prompt
48 In [3]: for user in User.get_all():
49 ...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar()
50 ...: attrs = saml2user.get(user.user_id)
51 ...: provider = RhodeCodeAuthPlugin.uid
52 ...: if not existing_identity and attrs:
53 ...: new_external_identity = ExternalIdentity()
54 ...: new_external_identity.external_id = attrs['id']
55 ...: new_external_identity.external_username = '{}-saml-{}'.format(user.username, user.user_id)
56 ...: new_external_identity.provider_name = provider
57 ...: new_external_identity.local_user_id = user_id
58 ...: new_external_identity.access_token = ''
59 ...: new_external_identity.token_secret = ''
60 ...: new_external_identity.alt_token = ''
61 ...: Session().add(ex_identity)
62 ...: Session().commit()
63
64
65 .. note::
66
67 saml2user can be really big and hard to maintain in ishell. It's also possible
68 to load it as a JSON file prepared before and stored on disk. To do so run::
69
70 import json
71 saml2user = json.loads(open('/path/to/saml2user.json','rb').read())
72
@@ -15,4 +15,5
15
15
16 auth-saml-duosecurity
16 auth-saml-duosecurity
17 auth-saml-onelogin
17 auth-saml-onelogin
18 auth-saml-bulk-enroll-users
18
19
Comments 0
You need to be logged in to leave comments. Login now