Awx: RFE: SAML Attribute Mapping to Specific Teams and Organizations

Created on 14 Nov 2018 · 6Comments · Source: ansible/awx

ISSUE TYPE

Feature Idea

COMPONENT NAME

SUMMARY

Allow mapping of SAML attributes to map to team and organization names that do not match attribute_value.

ADDITIONAL INFORMATION

For example,

When mapping users with SAML attribute "ansibleOrganizations" and mapping attribute_value "developer-unix-org" to the organization "Unix Developers"

{
    "saml_attr": "ansibleOrganizations",
    "saml_admin_attr": "ansibleOrganizationAdmins",
    "remove": true,
    "remove_admins": true,
    "org_map": [
    {
        "organization": "developer-unix-org",
        "org_alias": "Unix Developers"
    }
  ]
}

When mapping users with SAML attribute "ansibleGroups" and mapping attribute_value "unix-adms" to the team "Unix Administrators":

{
    "saml_attr": "ansibleGroups",
    "remove": true,
    "team_org_map": [
    {
        "team": "unix-adms",
        "organization": "Default",
        "team_alias": "Unix Administrators"
    }
  ]
}

api low enhancement

Source

jamesmarshall24

👍2

Most helpful comment

This really needs to be supported. tower should have a way to map external saml attributes to team names. otherwise if a AD group name is changed you may have an enormous amount of changes to make if your are storing the configuration of tower in source

paylocity-sflanders on 29 Mar 2019

👍9

All 6 comments

While keeping this open, we recommend to have the team names match, or doing this translation on the SAML provider.

wenottingham on 14 Nov 2018

This would be incredibly helpful for when the SAML IDP uses LDAP. e.g - Our team names end up looking like this: cn=SOMEGROUP,ou=groups,dc=our,dc=org,dc=com

gforster on 1 Mar 2019

👍3

paylocity-sflanders on 29 Mar 2019

👍9

Hi, do you have any plans to implement this functionality soon? We keep group names in the LDAP and we couldn't translate them directly to the team names.