Added SAML Autoprovisioning settings in config
This commit is contained in:
parent
8218271693
commit
9316c66291
|
@ -147,6 +147,37 @@ SAML_ENABLED = False
|
|||
# #SAML_LOGOUT_URL = 'https://google.com'
|
||||
|
||||
# #SAML_ASSERTION_ENCRYPTED = True
|
||||
# SAML_WANT_MESSAGE_SIGNED
|
||||
|
||||
# SAML Autoprovisioning
|
||||
# If toggled on, the PDA Role and the associations of users found in the local db
|
||||
# will be directly updated from the SAML IDP every time they log in.
|
||||
# NOTE: This feature and the assertion of "Admin / Account" attributes are mutually exclusive.
|
||||
# If used, the values for Admin/Account given above will be ignored.
|
||||
SAML_AUTOPROVISIONING = True
|
||||
# The urn value of the attribute in the SAML Authn Response where PDA will look
|
||||
# for a new Role and/or new associations to domains/accounts.
|
||||
# Example: urn:oid:1.3.6.1.4.1.5923.1.1.1.7
|
||||
# The record syntax for this attribute inside the SAML Response must look like:
|
||||
# prefix:powerdns-admin:PDA-Role, to provision an Administrator or Operator, or
|
||||
# prefix:powerdns-admin:User:<domain>:<account>, provision a User
|
||||
# who has access to one or more Domains and belongs to one or more Accounts.
|
||||
# the "prefix" is given in the next attribute
|
||||
SAML_AUTOPROVISIONING_ATTRIBUTE = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7'
|
||||
# The prefix used before the static keyword "powerdns-admin" for your entitlements
|
||||
# in the SAML Response. Must be a valid URN.
|
||||
# Example: urn:mace:example.com
|
||||
SAML_URN_PREFIX = 'urn:mace:example.com'
|
||||
# If toggled on, SAML logins that have no valid "powerdns-admin" records
|
||||
# to their autoprovisioning field, will lose all their associations
|
||||
# with any domain or account, also reverting to a User in the process,
|
||||
# despite their current role in the local db.
|
||||
# If toggled off, in the same scenario they get to keep
|
||||
# their existing associations and their current Role.
|
||||
### CAUTION: Enabling this feature will revoke existing users' access to their
|
||||
# associated domains unless they have their autoprovisioning field prepopulated.
|
||||
SAML_PURGE = False
|
||||
|
||||
|
||||
# Remote authentication settings
|
||||
|
||||
|
|
|
@ -1049,19 +1049,21 @@ def saml_authorized():
|
|||
user.username),
|
||||
created_by='SAML Autoprovision')
|
||||
history.add()
|
||||
user.revoke_privilege(True)
|
||||
elif len(Entitlements)!=0:
|
||||
if checkForPDAEntries(Entitlements, urn_prefix):
|
||||
user.updateUser(Entitlements, urn_prefix)
|
||||
else:
|
||||
current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix')
|
||||
if Setting().get('saml_purge'):
|
||||
current_app.logger.warning('Procceding to revoke every privilige from ' + user.username + '.' )
|
||||
current_app.logger.warning('Procceding to revoke every privilege from ' + user.username + '.' )
|
||||
if user.role.name != 'User':
|
||||
user.role_id = Role.query.filter_by(name='User').first().id
|
||||
history = History(msg='Demoting {0} to user'.format(
|
||||
user.username),
|
||||
created_by='SAML Autoprovision')
|
||||
history.add()
|
||||
user.revoke_privilege(True)
|
||||
|
||||
user.plain_text_password = None
|
||||
user.update_profile()
|
||||
|
|
Loading…
Reference in a new issue