Skip to content

Commit

Permalink
Merge pull request #1704 from srenatus/sr/saml/filter-allowed-groups
Browse files Browse the repository at this point in the history
connector/saml: add 'FilterGroups' setting
  • Loading branch information
sagikazarmark authored May 12, 2020
2 parents c0dfeb7 + 4a0feaf commit ba723ca
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 0 deletions.
2 changes: 2 additions & 0 deletions Documentation/connectors/saml.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ The connector doesn't support signed AuthnRequests or encrypted attributes.

The SAML Connector supports providing a whitelist of SAML Groups to filter access based on, and when the `groupsattr` is set with a scope including groups, Dex will check for membership based on configured groups in the `allowedGroups` config setting for the SAML connector.

If `filterGroups` is set to true, any groups _not_ part of `allowedGroups` will be excluded.

## Configuration

```yaml
Expand Down
7 changes: 7 additions & 0 deletions connector/saml/saml.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ type Config struct {
// used split the groups string.
GroupsDelim string `json:"groupsDelim"`
AllowedGroups []string `json:"allowedGroups"`
FilterGroups bool `json:"filterGroups"`
RedirectURI string `json:"redirectURI"`

// Requested format of the NameID. The NameID value is is mapped to the ID Token
Expand Down Expand Up @@ -165,6 +166,7 @@ func (c *Config) openConnector(logger log.Logger) (*provider, error) {
groupsAttr: c.GroupsAttr,
groupsDelim: c.GroupsDelim,
allowedGroups: c.AllowedGroups,
filterGroups: c.FilterGroups,
redirectURI: c.RedirectURI,
logger: logger,

Expand Down Expand Up @@ -240,6 +242,7 @@ type provider struct {
groupsAttr string
groupsDelim string
allowedGroups []string
filterGroups bool

redirectURI string

Expand Down Expand Up @@ -430,6 +433,10 @@ func (p *provider) HandlePOST(s connector.Scopes, samlResponse, inResponseTo str
return ident, fmt.Errorf("user not a member of allowed groups")
}

if p.filterGroups {
ident.Groups = groupMatches
}

// Otherwise, we're good
return ident, nil
}
Expand Down
25 changes: 25 additions & 0 deletions connector/saml/saml_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ type responseTest struct {
emailAttr string
groupsAttr string
allowedGroups []string
filterGroups bool

// Expected outcome of the test.
wantErr bool
Expand Down Expand Up @@ -121,6 +122,29 @@ func TestGroupsWhitelist(t *testing.T) {
test.run(t)
}

func TestGroupsWhitelistWithFiltering(t *testing.T) {
test := responseTest{
caFile: "testdata/ca.crt",
respFile: "testdata/good-resp.xml",
now: "2017-04-04T04:34:59.330Z",
usernameAttr: "Name",
emailAttr: "email",
groupsAttr: "groups",
allowedGroups: []string{"Admins"},
filterGroups: true,
inResponseTo: "6zmm5mguyebwvajyf2sdwwcw6m",
redirectURI: "http://127.0.0.1:5556/dex/callback",
wantIdent: connector.Identity{
UserID: "[email protected]",
Username: "Eric",
Email: "[email protected]",
EmailVerified: true,
Groups: []string{"Admins"}, // "Everyone" is filtered
},
}
test.run(t)
}

func TestGroupsWhitelistEmpty(t *testing.T) {
test := responseTest{
caFile: "testdata/ca.crt",
Expand Down Expand Up @@ -388,6 +412,7 @@ func (r responseTest) run(t *testing.T) {
RedirectURI: r.redirectURI,
EntityIssuer: r.entityIssuer,
AllowedGroups: r.allowedGroups,
FilterGroups: r.filterGroups,
// Never logging in, don't need this.
SSOURL: "http://foo.bar/",
}
Expand Down

0 comments on commit ba723ca

Please sign in to comment.