auth.admin.saml.groovy-permission-mapper
Background
Sets the path to a groovy script implementing a mapping from SAML credentials provided by the identify provider to objects representing Funnelback Users.
The following example script provides a simple example in which the groovy script simply loads the 'admin.ini' file for all valid SAML users. In practice a script would likely interrogate the given SAMLCredential, and load or create a suitable user object which grants permissions appropriate for the user. References to testclient in the example should be updated to a valid client ID and the roles updated to appropriate roles that exist on the Funnelback server.
import java.util.Arrays;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.saml.SAMLCredential;
import com.funnelback.springmvc.api.config.security.saml.SamlFunnelbackUserMapper;
import com.funnelback.springmvc.api.config.security.saml.user.shared.SAMLConfiguredUser;
import com.funnelback.springmvc.api.config.security.user.model.RoleId;
public class ExampleGroovySamlFunnelbackUserMapper implements SamlFunnelbackUserMapper {
@Override
public SAMLConfiguredUser getSAMLDerivedUser(SAMLCredential credential, SAMLConfiguredUser emptyUser, File searchHome)
throws UsernameNotFoundException {
String username = "testclient~foo"; // Derive this from the SAMLCredential
return emptyUser.withUserInfoDetails(emptyUser.getUserInfoDetails()
.withId(username)
.withFullName("")
.withEmail("")
.withInfo(""))
.withRoleDetails(emptyUser.getRoleDetails()
// These roles should be mapped to ones that exist on disk, depending on
// attributes that are provided by the SAMLCredential.
.withInRoles(Arrays.asList(
new RoleId("testclient~default-super-user"),
new RoleId("testclient~primary"),
new RoleId("testclient~resources")
)));
}
}The file containing the script can be located anywhere so long as it is readable by the Funnelback jetty web server. Further detail about the provided SAMLCredential object is available within the spring security SAML documentation.
Setting the key
Set this configuration key in the server configuration.
Use the configuration key editor to add or edit the auth.admin.saml.groovy-permission-mapper key, and set the value. This can be set to any valid File value.
See also
-
Specify the SAML identity provider’s metadata URL (Admin interface).
-
Specify the URL to log users out of the IdP (Admin interface).
-
Specify the prefix for the SAML entity ID (Admin interface).
-
Specify the location of the SAML keystore (Admin interface).
-
Specify the alias of private key to use in SAML keystore (Admin interface).
-
Specify the password for private key in SAML keystore (Admin interface).
-
Specify the default URL to navigate to after an IdP initiated SSO login. (Admin interface)