From 4f00f8ff1714cc1b44b4f1dfc8d064cee948c5a1 Mon Sep 17 00:00:00 2001 From: Marc Jeanmougin Date: Mon, 16 Dec 2024 15:52:04 +0100 Subject: [PATCH] Allows to customize SAML attributes Adds three environment variables: - GRIST_SAML_ATTR_FIRSTNAME - GRIST_SAML_ATTR_LASTNAME - GRIST_SAML_ATTR_EMAIL so that the attributes coming from the IdP can be customized. This allows from a variety of IdP to be used directly, including ones from educational institution with urn:oid (direct or aliased) --- app/server/lib/SamlConfig.ts | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/app/server/lib/SamlConfig.ts b/app/server/lib/SamlConfig.ts index 285cf248f9..b4670194c2 100644 --- a/app/server/lib/SamlConfig.ts +++ b/app/server/lib/SamlConfig.ts @@ -32,6 +32,15 @@ * Comma-separated list of paths for certificates from identity provider, PEM format. * env GRIST_SAML_IDP_UNENCRYPTED * If set and non-empty, allow unencrypted assertions, relying on https for privacy. + * env GRIST_SAML_ATTR_FIRSTNAME + * If set and non-empty, determines the user's firstname attribute from the IdP response. + * e.g. "urn:oid:2.5.4.4" + * env GRIST_SAML_ATTR_LASTNAME + * If set and non-empty, determines the user's lastname attribute from the IdP response. + * e.g. "urn:oid:1.3.6.1.4.1.5923.1.1.1.6" + * env GRIST_SAML_ATTR_EMAIL + * If set and non-empty, determines the user's email attribute from the IdP response. + * e.g. "urn:oid:0.9.2342.19200300.100.1.3" * * This version of SamlConfig has been tested with Auth0 SAML IdP following the instructions * at: @@ -181,9 +190,15 @@ export class SamlConfig { // An example IdP response is at https://github.com/Clever/saml2#assert_response. Saml2-js // maps some standard attributes as user.given_name, user.surname, which we use if // available. Otherwise we use user.attributes which has the form {Name: [Value]}. - const fname = samlUser.given_name || samlUser.attributes.FirstName || ''; - const lname = samlUser.surname || samlUser.attributes.LastName || ''; - const email = samlUser.email || samlUser.name_id; + const fnameAttribute = process.env.GRIST_SAML_ATTR_FIRSTNAME || ''; + const lnameAttribute = process.env.GRIST_SAML_ATTR_LASTNAME || ''; + const emailAttribute = process.env.GRIST_SAML_ATTR_EMAIL || ''; + const fname = samlUser.attributes[fnameAttribute] || + samlUser.given_name || samlUser.attributes.FirstName || ''; + const lname = samlUser.attributes[lnameAttribute] || + samlUser.surname || samlUser.attributes.LastName || ''; + const email = samlUser.attributes[emailAttribute] || + samlUser.email || samlUser.name_id; const profile = { email, name: `${fname} ${lname}`.trim(),