Actions
Bug #25827
opencannot use roles from SSO containing = or ,
Status:
Pending release
Priority:
1 (highest)
Assignee:
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No
Description
when the role from sso contains = and/or , , the mapping does not work
Consider this appartenance
CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu
there is no way to get the mapping to work
IdP configuration has registered role mapping: [("CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu",administrator)]
(with the quote, it doesn't match anything)
tried to quote, triple quote, escape, without success
Updated by François ARMAND 8 days ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Clark ANDRIANASOLO
- Pull Request set to https://github.com/Normation/rudder-plugins/pull/769
Updated by Anonymous 5 days ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder:rudder-plugins|7ee9fdda3ec6cde3b2a7b996b1b12f57b1ae247e.
Updated by Clark ANDRIANASOLO 3 days ago
- Fix check changed from To do to Checked
It now works with additional configuration with reverseEntitlements
:
rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.rudder_admin=administrator rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.rudder_readonly=read_only rudder.auth.oauth2.provider.okta.roles.mapping.reverseEntitlements.read_only=CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu
, the mapping is correctly assigned :
2024-11-20 16:21:51+0300 TRACE auth-backends - IdP configuration has registered role mapping: [(CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu,read_only); (rudder_admin,administrator); (rudder_readonly,read_only)]
Actions