SAML Omniauth Support for Auditor users
Problem to solve
The SAML Omniauth module currently allows system administrators to specify which groups assign a user to external or external permissions. We'd like to be able to do the same thing for auditor users.
Proposal
A new setting in the SAML Omniauth module to specify which SAML groups should automatically set the auditor permission.
{ name: 'saml',
label: 'Our SAML Provider',
groups_attribute: 'Groups',
external_groups: ['Freelancers', 'Interns'],
auditor_groups: ['Auditors', 'Security'],
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
idp_sso_target_url: 'https://login.example.com/idp',
issuer: 'https://gitlab.example.com',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
}
}
Implementation
- Add
auditor_groups
definition toee/lib/ee/gitlab/auth/saml/config.rb
- Add
user.auditor
code toee/lib/ee/gitlab/auth/saml/user.rb
- Add
auditor_groups_enabled?
function inee/lib/ee/gitlab/auth/saml/user.rb
What does success look like, and how can we measure that?
A new auditor user is automatically assigned the auditor
flag when they log in based on their group membership in SAML.
Edited by St. John Johnson