Project

General

Profile

Actions

Bug #25827

open

cannot use roles from SSO containing = or ,

Added by Nicolas CHARLES 16 days ago. Updated 3 days ago.

Status:
Pending release
Priority:
1 (highest)
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

when the role from sso contains = and/or , , the mapping does not work
Consider this appartenance

CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu

there is no way to get the mapping to work

IdP configuration has registered role mapping: [("CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu",administrator)]

(with the quote, it doesn't match anything)

tried to quote, triple quote, escape, without success

Actions #2

Updated by François ARMAND 9 days ago

  • Assignee set to François ARMAND
Actions #3

Updated by François ARMAND 9 days ago

  • Status changed from New to In progress
Actions #4

Updated by François ARMAND 8 days ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Clark ANDRIANASOLO
  • Pull Request set to https://github.com/Normation/rudder-plugins/pull/769
Actions #5

Updated by Anonymous 5 days ago

  • Status changed from Pending technical review to Pending release
Actions #6

Updated by Clark ANDRIANASOLO 3 days ago

  • Fix check changed from To do to Checked

It now works with additional configuration with reverseEntitlements :

rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.rudder_admin=administrator
rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.rudder_readonly=read_only
rudder.auth.oauth2.provider.okta.roles.mapping.reverseEntitlements.read_only=CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu

, the mapping is correctly assigned :
2024-11-20 16:21:51+0300 TRACE auth-backends - IdP configuration has registered role mapping: [(CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu,read_only); (rudder_admin,administrator); (rudder_readonly,read_only)]

Actions

Also available in: Atom PDF