SAML2 based authrization workaround

[yamsania]

Hey @ndobb ,

We recently implemented Leaf on GCP and are trying to setup authorization and are failing to do so, as we use third party IDP and the IDP does not have group information as its not synced from active directory. What would be our options if we cannot get group information from SAML2?
@glabrie10 Please help us answer any questions @ndobb may have for us.

[mh2727]

Hi @yamsania.

My name is Mehadi Hassan and I am one of the developers on the Leaf team.

Re: What would be our options if we cannot get group information from SAML2?
What do you mean by you're unable to get group information? Does the IDP provide info on roles or is there a way to categorize users?

Leaf is looking for some identifier that can differentiate users based on their assigned role, group, or whatever your team decides to use to categorize users. As long as that identifier is sent, Leaf will be able to use it to grant access.

You should be able to manage users in your IDP and group them with the necessary permissions. Whatever you use to group the users is your group information.

--
Mehadi Hassan

[glabrie10]

Hey @mh2727

Gabe here from the application team with Health Data Compass.

Unfortunately, our IPD cannot do groups. We are able to create other identifiers for entitlement attributes. What would we have to change in the appsetting.json configuration to use our custom entitlement attributes instead of a group?

Gabriel LaBrie
Cloud Engineer
Health Data Compass

[mh2727]

Hi @glabrie10

Under Authorization -> SAML2 -> HeadersMapping -> Entitlements, you can specify the Name of the entitlement you want to use and the Delimiter. This will allow Leaf to read that header.

Then, you can specify the different roles (Authorization -> SAML2 -> RolesMapping) based on your entitlement.

Here is an example to help you get started.

The headers sent over SAML:

    example_entitlement: groupA; groupB; groupC

    The `Name` is "example_entitlement".
    The `Delimiter` is ";".

The different roles would be specified like so:

    "RolesMapping": {
        "User": "groupA",
        "Super": "groupB",
        "Identified": "groupC",
        "Admin": "groupC",
        "Federated": "groupA"
      }

You can read more about this on our Leaf docs page: https://leafdocs.rit.uw.edu/installation/installation_steps/6_appsettings/#authorization

Hope this helps and answers your questions.

--
Mehadi Hassan

[glabrie10]

@mh2727

Thank you for the input. We were able to use custom identifiers but we still can't get authorization to work. Would it be possible to schedule a zoom and go over what we are trying?

[mh2727]

Hi @glabrie10

I just sent an email requesting some times that work for you next week.

--
Mehadi Hassan

[glabrie10]

Thanks, Mehadi!

[artgoldberg]

Folks. See #436 which may solve your problem and has been implemented.

[ndobb]

@artgoldberg, thanks for pointing that out.

On a related note @yamsania @glabrie10, I've just released v3.10, which add support for user authorization via the Leaf app DB, as well as the feature for allowing all users, which @artgoldberg mentioned.

You should be able to use your IdP to authenticate the user (and get their username), then the app DB tables to manage their roles if you'd like.

Let me know if you have any questions.

[artgoldberg]

@ndobb I like the idea of combining SAML authentication with LeafDB authorization.