Add Group Attribute Name field to IdP view #2520
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
app/forms/idp/edit.tsx
Outdated
| <TextField | ||
| name="groupAttributeName" | ||
| label="Group attribute name" | ||
| description="Name of the SAML attribute sent by the IdP containing a comma-separated list of groups for the authenticated user" |
There was a problem hiding this comment.
I don't think they're actually comma-separated. It's all XML.
<saml:AttributeStatement>
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue>SRE</saml:AttributeValue>
<saml:AttributeValue>Admins</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>Maybe we can be a little less concrete about the format anyway. It doesn't matter here:
Name of the SAML attribute in the IdP response listing the user's groups
We could go even shorter to get it on one line, but I don't think this is consistent with our more typically breezy style.
Name of SAML attribute in IdP response listing user's groups
Worth noting that text-balance looks worse and worse the shorter the thing gets. I'd take it back out.
The docs also say "comma-separated". I will make a note to confirm it's wrong and fix it.
There was a problem hiding this comment.
There was a problem hiding this comment.
It can be a single AttributeStatement, like you posted, but it can also be multple:
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue>Admins</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue>SRE</saml:AttributeValue>
</saml:Attribute>the Keycloak setting for this is (under the "groups" mapping):
It can also be a comma separated list of groups, if the IDP sends that. Some applications apparently do require that (eg: https://support.okta.com/help/s/question/0D54z00009Jau72CAB/group-attribute-statements-combine-all-groups-into-a-comma-separated-string?language=en_US)
There was a problem hiding this comment.
Very helpful, thanks. Do all of those work the same way with respect to the attribute name? In which case just not mentioning the details seems best.
There was a problem hiding this comment.
Do all of those work the same way with respect to the attribute name? In which case just not mentioning the details seems best.
I believe so yeah, both use the same Attribute Name="groups", and it'd be a bug not to. Agree on eliding that detail yeah. Even so if we ever encounter an IDP that only sends comma separated lists Nexus can handle it.
|
The create form has a field for this too — its description should match. Yet another case where it would be convenient to share the fields (and in this case it would have helped catch this mismatch) but it feels kinda boilerplatey to get the types right on shared stuff. We should think about how to make it easier, or if we can't, maybe at least commit to a particular pattern for sharing fields and document it so we don't have to think about it. Out of scope for this PR of course. console/app/forms/idp/create.tsx Lines 133 to 138 in 4e96756 |
There was a problem hiding this comment.
Not a blocker, but I'd recommend adding groupAttributeName to the mock SAML IdP so we can see it in the form.
Lines 76 to 88 in 4e96756
Might also be worth adding a line alongside this asserting that it shows up. Don't use the text= way, do it the expect(page.getByRole('textbox', { name: 'Group attribute name' })).toHaveValue('groups') way.
Lines 181 to 187 in 4e96756
|
I just did it since the comment was 95% of it. |
oxidecomputer/console@f7d6daf...6eeab20 * [6eeab203](oxidecomputer/console@6eeab203) oxidecomputer/console#2525 * [bdc1c87c](oxidecomputer/console@bdc1c87c) oxidecomputer/console#2526 * [23824251](oxidecomputer/console@23824251) oxidecomputer/console#2508 * [78e7e26b](oxidecomputer/console@78e7e26b) oxidecomputer/console#2524 * [eb7f8567](oxidecomputer/console@eb7f8567) oxidecomputer/console#2504 * [df0dea4a](oxidecomputer/console@df0dea4a) oxidecomputer/console#2514 * [3474c6ce](oxidecomputer/console@3474c6ce) oxidecomputer/console#2522 * [af6a89e7](oxidecomputer/console@af6a89e7) oxidecomputer/console#2520 * [4e967560](oxidecomputer/console@4e967560) oxidecomputer/console#2512
oxidecomputer/console@f7d6daf...6eeab20 * [6eeab203](oxidecomputer/console@6eeab203) oxidecomputer/console#2525 * [bdc1c87c](oxidecomputer/console@bdc1c87c) oxidecomputer/console#2526 * [23824251](oxidecomputer/console@23824251) oxidecomputer/console#2508 * [78e7e26b](oxidecomputer/console@78e7e26b) oxidecomputer/console#2524 * [eb7f8567](oxidecomputer/console@eb7f8567) oxidecomputer/console#2504 * [df0dea4a](oxidecomputer/console@df0dea4a) oxidecomputer/console#2514 * [3474c6ce](oxidecomputer/console@3474c6ce) oxidecomputer/console#2522 * [af6a89e7](oxidecomputer/console@af6a89e7) oxidecomputer/console#2520 * [4e967560](oxidecomputer/console@4e967560) oxidecomputer/console#2512
This field was already present, just hidden in the "edit" (though not really editable) view.
I also adjusted the help text's CSS to have
text-balance, so we avoid having ragged descriptions.Closes #2473