Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-25062

Expose create and update flags through contribution for UserMapperBasedResolver

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 9.10, 10.1
    • Fix Version/s: 9.10-HF13, 10.3
    • Component/s: Authentication
    • Release Notes Summary:
      The support for read-only directories is added to our SAML implementation.
    • Upgrade notes:
      Hide

      Two new parameters are now available when configuring SAML authentication plugin:

      1. userResolverCreateIfNeeded to create the user if it does not exist in the repository (default value is true)
      2. userResolverUpdate to update the user if present in the repository (default is value true)

      When set to true, both parameters require a user directory that is not read-only.

      Show
      Two new parameters are now available when configuring SAML authentication plugin: userResolverCreateIfNeeded to create the user if it does not exist in the repository (default value is true ) userResolverUpdate to update the user if present in the repository (default is value true ) When set to true, both parameters require a user directory that is not read-only.
    • Sprint:
      nxsupport 10.2.4
    • Story Points:
      2

      Description

      Looking at the current code:
      https://github.com/nuxeo/nuxeo/blob/master/nuxeo-services/login/nuxeo-platform-login-saml2/src/main/java/org/nuxeo/ecm/platform/auth/saml/user/UserMapperBasedResolver.java#L53

      This will call the following method with hardcoded values for createIfNeeded and update:
      https://github.com/nuxeo/nuxeo/blob/master/nuxeo-services/nuxeo-usermapper/src/main/java/org/nuxeo/usermapper/service/UserMapperComponent.java#L104

      For instance, this prevents the usage of LDAP readonly and SAML which attempts to create the user in the directory.

      Shibboleth encounters the same issue.

      Having those flags customizable through the contribution would solve this issue.

          <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
                  point="authenticators">
              <authenticationPlugin name="OKTA_AUTH" enabled="true"
                                    class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
                  <loginModulePlugin>Trusting_LM</loginModulePlugin>
                  <needStartingURLSaving>true</needStartingURLSaving>
                  <parameters>
                      <parameter name="name">Okta</parameter>
                      <!-- Uri of the metadata -->
                      <parameter name="metadata">https://inevo.okta.com/app/kwojxppsUAOQYHDCJHER/sso/saml/metadata</parameter>
                      <!-- Request timeout in seconds -->
                      <parameter name="timeout">5</parameter>
                      <parameter name="userResolverCreateIfNeeded">false</parameter>
                      <parameter name="userResolverUpdate">false</parameter>
                  </parameters>
              </authenticationPlugin>
          </extension>
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours, 30 minutes
                  4h 30m

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.