[I] [SAML Groups] Allow linking accounts/domains to SAML groups [cloudstack]

[via GitHub]

rhysperry111 opened a new issue, #12212:
URL: https://github.com/apache/cloudstack/issues/12212

   ### The required feature described as a wish
   
   Most SAML IdPs are able to provide group information for the authenticated 
user in the form of a SAML attribute (with many values for each group the user 
is in). It would be useful to be able to use the groups in the same way that 
LDAP groups can, such as to give a user access to certain accounts.
   
   Here is an example SAML response from AWS Identity Center showing how groups 
are formatted. In the case of Identity Center, groups are assigned a random ID.
   
   ```xml
       <saml2:AttributeStatement>
         <saml2:Attribute Name="groups" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1732</saml2:AttributeValue>
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-2026</saml2:AttributeValue>
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1814</saml2:AttributeValue>
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1722</saml2:AttributeValue>
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1748</saml2:AttributeValue>
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1730</saml2:AttributeValue>
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1953</saml2:AttributeValue>
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1836</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="username" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
           <saml2:AttributeValue 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="xsd:string">rhys@ourdomainhere.internal</saml2:AttributeValue>
         </saml2:Attribute>
       </saml2:AttributeStatement>
   ```
   
   This would be a useful feature to have as with more companies moving to a 
more "serverless" / "cloud-native" (insert your favourite buzzword here) it is 
becoming less common to an easy way to connect to the user directory with LDAP.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org