[NXP-25062] Expose create and update flags through contribution for UserMapperBasedResolver - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 9.10, 10.1
Fix Version/s: 9.10-HF13, 10.3
Component/s: Authentication

Release Notes Summary:
The support for read-only directories is added to our SAML implementation.
Tags:
Upgrade notes:
Hide

Two new parameters are now available when configuring SAML authentication plugin:

userResolverCreateIfNeeded to create the user if it does not exist in the repository (default value is true)

userResolverUpdate to update the user if present in the repository (default is value true)

When set to true, both parameters require a user directory that is not read-only.
Show
Two new parameters are now available when configuring SAML authentication plugin: userResolverCreateIfNeeded to create the user if it does not exist in the repository (default value is true ) userResolverUpdate to update the user if present in the repository (default is value true ) When set to true, both parameters require a user directory that is not read-only.
Sprint:
nxsupport 10.2.4
Story Points:
2

Description

Looking at the current code:
https://github.com/nuxeo/nuxeo/blob/master/nuxeo-services/login/nuxeo-platform-login-saml2/src/main/java/org/nuxeo/ecm/platform/auth/saml/user/UserMapperBasedResolver.java#L53

This will call the following method with hardcoded values for createIfNeeded and update:
https://github.com/nuxeo/nuxeo/blob/master/nuxeo-services/nuxeo-usermapper/src/main/java/org/nuxeo/usermapper/service/UserMapperComponent.java#L104

For instance, this prevents the usage of LDAP readonly and SAML which attempts to create the user in the directory.

Shibboleth encounters the same issue.

Having those flags customizable through the contribution would solve this issue.

    <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
            point="authenticators">
        <authenticationPlugin name="OKTA_AUTH" enabled="true"
                              class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
            <loginModulePlugin>Trusting_LM</loginModulePlugin>
            <needStartingURLSaving>true</needStartingURLSaving>
            <parameters>
                <parameter name="name">Okta</parameter>
                <!-- Uri of the metadata -->
                <parameter name="metadata">https://inevo.okta.com/app/kwojxppsUAOQYHDCJHER/sso/saml/metadata</parameter>
                <!-- Request timeout in seconds -->
                <parameter name="timeout">5</parameter>
                <parameter name="userResolverCreateIfNeeded">false</parameter>
                <parameter name="userResolverUpdate">false</parameter>
            </parameters>
        </authenticationPlugin>
    </extension>

Attachments

Issue Links

causes

NXP-29256 Fix class UserMapperBasedResolver

Resolved

depends on

NXDOC-1621 Add read-only repository support for SAML

Resolved

Activity

People

Assignee:

Frantz Fischer

Reporter:

Frantz Fischer

Participants:

Frantz Fischer, Jenkins

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2018-05-23 10:40

Updated:

2020-06-13 19:49

Resolved:

2018-07-12 06:04

Time Tracking

Estimated:

Remaining:

Logged:

4h 30m