Ability to map exisitng LDAP SSO groups to teams

[hardillb]

Description

Customer has hard rules on LDAP group names, not allowed to match ff-[team-slug]-[role] group names.

Would like a way to explicitly set group name for a given team

Which customers would this be available to

Enterprise Tier Only (EE)

Have you provided an initial effort estimate for this issue?

I have provided an initial effort estimate

• https://app-eu1.hubspot.com/contacts/26586079/record/0-2/8845845707

[hardillb]

Suggestion from customer

If we could predefine the length of the prefix and postfix for the AD group in FlowFuse, you could probably add a process to ignore them in your system. This should be an application-level configuration, of course, which means it should be configured once for your organization and then followed.

For example,
FlowFuse group name: ff-team1-owner
Prefix length: 8
postfix length: 0
AD group name: abc_grt_ff-team1-owner
or
Prefix length: 4
postfix length: 2
AD group name: abc_ff-team1-owner_1

[hardillb]

I think the prefix/postfix option is actually a most practical solution.

It means we don't need to keep a table of group to team/role mappings

Something like this in

flowfuse/forge/ee/lib/sso/index.js

Line 299 in 4c4d31a

async function updateTeamMembership (samlUser, user, providerOpts) {

            groupAssertions.forEach(ga => {
                // Trim prefix/postfix from group name
                let shortGA = ga.slice(providerOpts.groupPrefixLength, (providerOpts.groupPostfixLength * -1))
                // Parse the group name - format: 'ff-SLUG-ROLE'
                // Generate a slug->role object (desiredTeamMemberships)
                const match = /^ff-(.+)-([^-]+)$/.exec(shortGA)
                if (match) {
                    const teamSlug = match[1]
                    const teamRoleName = match[2]
                    const teamRole = Roles[teamRoleName]
                    // Check this role is a valid team role

Or the same in LDAP code

flowfuse/forge/ee/lib/sso/index.js

Line 435 in 4c4d31a

async function updateTeamMembershipLDAP (adminClient, user, userDN, providerOpts) {

        app.log.debug(`LDAP Groups for ${user.username} ${JSON.stringify(searchEntries)}`)
        const promises = []
        let adminGroup = false
        const desiredTeamMemberships = {}
        const groupRegEx = /^ff-(.+)-([^-]+)$/
        for (const i in searchEntries) {
            const shortCN = searchEntries[i].cn.slice(providerOpts.groupPrefixLength, (providerOpts.PostfixLength * -1))
            const match = groupRegEx.exec(shortCN)
            if (match) {
                app.log.debug(`Found group ${searchEntries[i].cn} for user ${user.username}`)
                const teamSlug = match[1]
                const teamRoleName = match[2]
                const teamRole = Roles[teamRoleName]
                // Check this role is a valid team role
                if (TeamRoles.includes(teamRole)) {

[hardillb]

Will need to make sure groupPrefixLength and groupPostfixLength default to 0

@knolleary if you get a second, can you comment on this suggestion (before I run off and build the UI for it)

[knolleary]

Feels like a sensible quick solution that is most flexible. An alternative would be to require the actual pre/post strings to be provided - not as flexible, although perhaps more deterministic. Stick with lengths for now.

[hardillb]

OK, got the changes done, will add some extra groups to my SSO test rig after lunch

[hardillb]

Just thinking that using the length does mean it's possible to match other groups...

e.g. prefix 5 matches both

• test_ff-dev-owner
• fooo_ff-tev-owner

I don't think this is a problem as only LDAP/SAML admins should be able to create groups?