Bug #25827: cannot use roles from SSO containing = or , - Authentication backends - Issue Tracker

Actions

Copy link

Bug #25827

open

cannot use roles from SSO containing = or ,

Added by Nicolas CHARLES 14 days ago. Updated about 22 hours ago.

Status:

Pending release

Priority:

1 (highest)

Assignee:

Clark ANDRIANASOLO

Target version:

Rudder plugins - 8.1

Pull Request:

https://github.com/Normation/rudder-p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

To do

Fix check:

Checked

Regression:

Description

when the role from sso contains = and/or , , the mapping does not work
Consider this appartenance

CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu

there is no way to get the mapping to work

IdP configuration has registered role mapping: [("CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu",administrator)]

(with the quote, it doesn't match anything)

tried to quote, triple quote, escape, without success

Actions

Copy link

Updated by François ARMAND 7 days ago

Assignee set to François ARMAND

Actions

Copy link

Updated by François ARMAND 7 days ago

Status changed from New to In progress

Actions

Copy link

Updated by François ARMAND 6 days ago

Status changed from In progress to Pending technical review
Assignee changed from François ARMAND to Clark ANDRIANASOLO
Pull Request set to https://github.com/Normation/rudder-plugins/pull/769

PR https://github.com/Normation/rudder-plugins/pull/769

Actions

Copy link

Updated by Anonymous 3 days ago

Status changed from Pending technical review to Pending release

Applied in changeset rudder:rudder-plugins|7ee9fdda3ec6cde3b2a7b996b1b12f57b1ae247e.

Actions

Copy link

Updated by Clark ANDRIANASOLO about 22 hours ago

Fix check changed from To do to Checked

It now works with additional configuration with reverseEntitlements :

rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.rudder_admin=administrator
rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.rudder_readonly=read_only
rudder.auth.oauth2.provider.okta.roles.mapping.reverseEntitlements.read_only=CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu

, the mapping is correctly assigned :

2024-11-20 16:21:51+0300 TRACE auth-backends - IdP configuration has registered role mapping: [(CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu,read_only); (rudder_admin,administrator); (rudder_readonly,read_only)]

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Rudder plugins » Authentication backends

Custom queries

Bug #25827

cannot use roles from SSO containing = or ,

Updated by François ARMAND 7 days ago

Updated by François ARMAND 7 days ago

Updated by François ARMAND 6 days ago

Updated by Anonymous 3 days ago

Updated by Clark ANDRIANASOLO about 22 hours ago