Allows to customize SAML attributes

Adds three environment variables: - GRIST_SAML_ATTR_FIRSTNAME - GRIST_SAML_ATTR_LASTNAME - GRIST_SAML_ATTR_EMAIL so that the attributes coming from the IdP can be customized. This allows from a variety of IdP to be used directly, including ones from educational institution with urn:oid (direct or aliased)
gristlabs · Dec 19, 2024 · a8dd567 · a8dd567
1 parent 044f6c7
commit a8dd567
Showing 1 changed file with 15 additions and 3 deletions.
diff --git a/app/server/lib/SamlConfig.ts b/app/server/lib/SamlConfig.ts
@@ -32,6 +32,15 @@
  *        Comma-separated list of paths for certificates from identity provider, PEM format.
  *    env GRIST_SAML_IDP_UNENCRYPTED
  *        If set and non-empty, allow unencrypted assertions, relying on https for privacy.
+ *    env GRIST_SAML_ATTR_FIRSTNAME
+ *        If set and non-empty, determines the user's firstname attribute from the IdP response.
+ *        e.g. "urn:oid:2.5.4.4"
+ *    env GRIST_SAML_ATTR_LASTNAME
+ *        If set and non-empty, determines the user's lastname attribute from the IdP response.
+ *        e.g. "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+ *    env GRIST_SAML_ATTR_EMAIL
+ *        If set and non-empty, determines the user's email attribute from the IdP response.
+ *        e.g. "urn:oid:0.9.2342.19200300.100.1.3"
  *
  * This version of SamlConfig has been tested with Auth0 SAML IdP following the instructions
  * at:
@@ -181,9 +190,12 @@ export class SamlConfig {
         // An example IdP response is at https://github.com/Clever/saml2#assert_response. Saml2-js
         // maps some standard attributes as user.given_name, user.surname, which we use if
         // available. Otherwise we use user.attributes which has the form {Name: [Value]}.
-        const fname = samlUser.given_name || samlUser.attributes.FirstName || '';
-        const lname = samlUser.surname || samlUser.attributes.LastName || '';
-        const email = samlUser.email || samlUser.name_id;
+        const fname = samlUser.attributes[process.env.GRIST_SAML_ATTR_FIRSTNAME] ||
+		samlUser.given_name || samlUser.attributes.FirstName || '';
+        const lname = samlUser.attributes[process.env.GRIST_SAML_ATTR_LASTNAME] ||
+		samlUser.surname || samlUser.attributes.LastName || '';
+        const email = samlUser.attributes[process.env.GRIST_SAML_ATTR_EMAIL] ||
+		samlUser.email ||  samlUser.name_id;
         const profile = {
           email,
           name: `${fname} ${lname}`.trim(),