Show More
@@ -0,0 +1,72 b'' | |||
|
1 | .. _auth-saml-bulk-enroll-users-ref: | |
|
2 | ||
|
3 | ||
|
4 | Bulk enroll multiple existing users | |
|
5 | ----------------------------------- | |
|
6 | ||
|
7 | ||
|
8 | RhodeCode Supports standard SAML 2.0 SSO for the web-application part. | |
|
9 | Below is an example how to enroll list of all or some users to use SAML authentication. | |
|
10 | This method simply enables SAML authentication for many users at once. | |
|
11 | ||
|
12 | ||
|
13 | From the server RhodeCode Enterprise is running run ishell on the instance which we | |
|
14 | want to apply the SAML migration: | |
|
15 | ||
|
16 | ``` | |
|
17 | rccontrol ishell enterprise-1 | |
|
18 | ``` | |
|
19 | ||
|
20 | Follow these steps to enable SAML authentication for multiple users. | |
|
21 | ||
|
22 | ||
|
23 | 1) Create a user_id => attribute mapping | |
|
24 | ||
|
25 | ||
|
26 | `saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google. | |
|
27 | This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML | |
|
28 | account to internal rhodecode user. | |
|
29 | For example, 123 is local rhodecode user_id, and '48253211' is onelogin ID. | |
|
30 | For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google | |
|
31 | ||
|
32 | In [1]: saml2user = { | |
|
33 | ...: # OneLogin, uses externalID available to read from in the UI | |
|
34 | ...: 123: {'id: '48253211'}, | |
|
35 | ...: # for google use email | |
|
36 | ...: 124: {'id: 'email@domain.com'}, | |
|
37 | ...: } | |
|
38 | ||
|
39 | 2) Import the plugin you want to run migration for, pick only one and run the `import` statement | |
|
40 | # for duo security | |
|
41 | In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin | |
|
42 | # for onelogin | |
|
43 | In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin | |
|
44 | # generic saml | |
|
45 | In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin | |
|
46 | ||
|
47 | 3) Run the migration based on saml2user mapping. Enter in the ishell prompt | |
|
48 | In [3]: for user in User.get_all(): | |
|
49 | ...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar() | |
|
50 | ...: attrs = saml2user.get(user.user_id) | |
|
51 | ...: provider = RhodeCodeAuthPlugin.uid | |
|
52 | ...: if not existing_identity and attrs: | |
|
53 | ...: new_external_identity = ExternalIdentity() | |
|
54 | ...: new_external_identity.external_id = attrs['id'] | |
|
55 | ...: new_external_identity.external_username = '{}-saml-{}'.format(user.username, user.user_id) | |
|
56 | ...: new_external_identity.provider_name = provider | |
|
57 | ...: new_external_identity.local_user_id = user_id | |
|
58 | ...: new_external_identity.access_token = '' | |
|
59 | ...: new_external_identity.token_secret = '' | |
|
60 | ...: new_external_identity.alt_token = '' | |
|
61 | ...: Session().add(ex_identity) | |
|
62 | ...: Session().commit() | |
|
63 | ||
|
64 | ||
|
65 | .. note:: | |
|
66 | ||
|
67 | saml2user can be really big and hard to maintain in ishell. It's also possible | |
|
68 | to load it as a JSON file prepared before and stored on disk. To do so run:: | |
|
69 | ||
|
70 | import json | |
|
71 | saml2user = json.loads(open('/path/to/saml2user.json','rb').read()) | |
|
72 |
@@ -1,18 +1,19 b'' | |||
|
1 | 1 | .. _config-saml-generic-ref: |
|
2 | 2 | |
|
3 | 3 | |
|
4 | 4 | SAML 2.0 Authentication |
|
5 | 5 | ----------------------- |
|
6 | 6 | |
|
7 | 7 | |
|
8 | 8 | **This plugin is available only in EE Edition.** |
|
9 | 9 | |
|
10 | 10 | RhodeCode Supports standard SAML 2.0 SSO for the web-application part. |
|
11 | 11 | |
|
12 | 12 | Please check for reference two example providers: |
|
13 | 13 | |
|
14 | 14 | .. toctree:: |
|
15 | 15 | |
|
16 | 16 | auth-saml-duosecurity |
|
17 | 17 | auth-saml-onelogin |
|
18 | auth-saml-bulk-enroll-users | |
|
18 | 19 |
General Comments 0
You need to be logged in to leave comments.
Login now