Show More
| @@ -1,88 +1,88 b'' | |||||
| 1 | .. _auth-saml-bulk-enroll-users-ref: |
|
1 | .. _auth-saml-bulk-enroll-users-ref: | |
| 2 |
|
2 | |||
| 3 |
|
3 | |||
| 4 | Bulk enroll multiple existing users |
|
4 | Bulk enroll multiple existing users | |
| 5 | ----------------------------------- |
|
5 | ----------------------------------- | |
| 6 |
|
6 | |||
| 7 |
|
7 | |||
| 8 | RhodeCode Supports standard SAML 2.0 SSO for the web-application part. |
|
8 | RhodeCode Supports standard SAML 2.0 SSO for the web-application part. | |
| 9 | Below is an example how to enroll list of all or some users to use SAML authentication. |
|
9 | Below is an example how to enroll list of all or some users to use SAML authentication. | |
| 10 | This method simply enables SAML authentication for many users at once. |
|
10 | This method simply enables SAML authentication for many users at once. | |
| 11 |
|
11 | |||
| 12 |
|
12 | |||
| 13 | From the server RhodeCode Enterprise is running run ishell on the instance which we |
|
13 | From the server RhodeCode Enterprise is running run ishell on the instance which we | |
| 14 | want to apply the SAML migration:: |
|
14 | want to apply the SAML migration:: | |
| 15 |
|
15 | |||
| 16 | rccontrol ishell enterprise-1 |
|
16 | rccontrol ishell enterprise-1 | |
| 17 |
|
17 | |||
| 18 | Follow these steps to enable SAML authentication for multiple users. |
|
18 | Follow these steps to enable SAML authentication for multiple users. | |
| 19 |
|
19 | |||
| 20 |
|
20 | |||
| 21 | 1) Create a user_id => attribute mapping |
|
21 | 1) Create a user_id => attribute mapping | |
| 22 |
|
22 | |||
| 23 |
|
23 | |||
| 24 | `saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google. |
|
24 | `saml2user` is a mapping of external ID from SAML provider such as OneLogin, DuoSecurity, Google. | |
| 25 | This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML |
|
25 | This mapping consists of local rhodecode user_id mapped to set of required attributes needed to bind SAML | |
| 26 | account to internal rhodecode user. |
|
26 | account to internal rhodecode user. | |
| 27 | For example, 123 is local rhodecode user_id, and '48253211' is OneLogin ID. |
|
27 | For example, 123 is local rhodecode user_id, and '48253211' is OneLogin ID. | |
| 28 | For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google |
|
28 | For other providers you'd have to figure out what would be the user-id, sometimes it's the email, i.e for Google | |
| 29 | The most important this id needs to be unique for each user. |
|
29 | The most important this id needs to be unique for each user. | |
| 30 |
|
30 | |||
| 31 | .. code-block:: python |
|
31 | .. code-block:: python | |
| 32 |
|
32 | |||
| 33 | In [1]: saml2user = { |
|
33 | In [1]: saml2user = { | |
| 34 | ...: # OneLogin, uses externalID available to read from in the UI |
|
34 | ...: # OneLogin, uses externalID available to read from in the UI | |
| 35 | ...: 123: {'id: '48253211'}, |
|
35 | ...: 123: {'id': '48253211'}, | |
| 36 | ...: # for Google/DuoSecurity email is also an option for unique ID |
|
36 | ...: # for Google/DuoSecurity email is also an option for unique ID | |
| 37 |
...: 124: {'id |
|
37 | ...: 124: {'id': 'email@domain.com'}, | |
| 38 | ...: } |
|
38 | ...: } | |
| 39 |
|
39 | |||
| 40 |
|
40 | |||
| 41 | 2) Import the plugin you want to run migration for. |
|
41 | 2) Import the plugin you want to run migration for. | |
| 42 |
|
42 | |||
| 43 | From available options pick only one and run the `import` statement |
|
43 | From available options pick only one and run the `import` statement | |
| 44 |
|
44 | |||
| 45 | .. code-block:: python |
|
45 | .. code-block:: python | |
| 46 |
|
46 | |||
| 47 | # for Duo Security |
|
47 | # for Duo Security | |
| 48 | In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin |
|
48 | In [2]: from rc_auth_plugins.auth_duo_security import RhodeCodeAuthPlugin | |
| 49 | # for OneLogin |
|
49 | # for OneLogin | |
| 50 | In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin |
|
50 | In [2]: from rc_auth_plugins.auth_onelogin import RhodeCodeAuthPlugin | |
| 51 | # generic SAML plugin |
|
51 | # generic SAML plugin | |
| 52 | In [2]: from rc_auth_plugins.auth_saml import RhodeCodeAuthPlugin |
|
52 | In [2]: from rc_auth_plugins.auth_saml import RhodeCodeAuthPlugin | |
| 53 |
|
53 | |||
| 54 | 3) Run the migration based on saml2user mapping. |
|
54 | 3) Run the migration based on saml2user mapping. | |
| 55 |
|
55 | |||
| 56 | Enter in the ishell prompt |
|
56 | Enter in the ishell prompt | |
| 57 |
|
57 | |||
| 58 | .. code-block:: python |
|
58 | .. code-block:: python | |
| 59 |
|
59 | |||
| 60 | In [3]: for user in User.get_all(): |
|
60 | In [3]: for user in User.get_all(): | |
| 61 | ...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar() |
|
61 | ...: existing_identity = ExternalIdentity().query().filter(ExternalIdentity.local_user_id == user.user_id).scalar() | |
| 62 | ...: attrs = saml2user.get(user.user_id) |
|
62 | ...: attrs = saml2user.get(user.user_id) | |
| 63 | ...: provider = RhodeCodeAuthPlugin.uid |
|
63 | ...: provider = RhodeCodeAuthPlugin.uid | |
| 64 | ...: if existing_identity: |
|
64 | ...: if existing_identity: | |
| 65 | ...: print('Identity for user `{}` already exists, skipping'.format(user.username)) |
|
65 | ...: print('Identity for user `{}` already exists, skipping'.format(user.username)) | |
| 66 | ...: continue |
|
66 | ...: continue | |
| 67 | ...: if attrs: |
|
67 | ...: if attrs: | |
| 68 | ...: external_id = attrs['id'] |
|
68 | ...: external_id = attrs['id'] | |
| 69 | ...: new_external_identity = ExternalIdentity() |
|
69 | ...: new_external_identity = ExternalIdentity() | |
| 70 | ...: new_external_identity.external_id = external_id |
|
70 | ...: new_external_identity.external_id = external_id | |
| 71 | ...: new_external_identity.external_username = '{}-saml-{}'.format(user.username, user.user_id) |
|
71 | ...: new_external_identity.external_username = '{}-saml-{}'.format(user.username, user.user_id) | |
| 72 | ...: new_external_identity.provider_name = provider |
|
72 | ...: new_external_identity.provider_name = provider | |
| 73 | ...: new_external_identity.local_user_id = user_id |
|
73 | ...: new_external_identity.local_user_id = user.user_id | |
| 74 | ...: new_external_identity.access_token = '' |
|
74 | ...: new_external_identity.access_token = '' | |
| 75 | ...: new_external_identity.token_secret = '' |
|
75 | ...: new_external_identity.token_secret = '' | |
| 76 | ...: new_external_identity.alt_token = '' |
|
76 | ...: new_external_identity.alt_token = '' | |
| 77 | ...: Session().add(ex_identity) |
|
77 | ...: Session().add(ex_identity) | |
| 78 | ...: Session().commit() |
|
78 | ...: Session().commit() | |
| 79 | ...: print('Set user `{}` external identity bound to ExternalID:{}'.format(user.username, external_id)) |
|
79 | ...: print('Set user `{}` external identity bound to ExternalID:{}'.format(user.username, external_id)) | |
| 80 |
|
80 | |||
| 81 | .. note:: |
|
81 | .. note:: | |
| 82 |
|
82 | |||
| 83 | saml2user can be really big and hard to maintain in ishell. It's also possible |
|
83 | saml2user can be really big and hard to maintain in ishell. It's also possible | |
| 84 | to load it as a JSON file prepared before and stored on disk. To do so run:: |
|
84 | to load it as a JSON file prepared before and stored on disk. To do so run:: | |
| 85 |
|
85 | |||
| 86 | import json |
|
86 | import json | |
| 87 | saml2user = json.loads(open('/path/to/saml2user.json','rb').read()) |
|
87 | saml2user = json.loads(open('/path/to/saml2user.json','rb').read()) | |
| 88 |
|
88 | |||
General Comments 0
You need to be logged in to leave comments.
Login now