Skip to content

SAML: user -> org provisioning via SAML claims #10921

New issue
New issue
Closed
Feature
#11059
Closed
SAML: user -> org provisioning via SAML claims#10921
Feature
#11059
Assignees
Dschoordsch
Labels
enhancement
Milestone
SAML improvements
@jordanh

Description

@jordanh
jordanh
opened on Feb 25, 2025

Issue - Enhancement

A while ago, we had opened #4125 in response to enterprise user feedback that they wished to have a way to provision a user on an org and a team via SAML claims.

Just this week we had a partner who provides secure cloud services to the government ask for something similar. In this case, provisioning to an org is more important than provisioning to a specific team; so we'll start there.

The partner's platform hosts multiple DoD organizations on the same tenant. These organizations all share a single SAML IdP. Many of the users have identical email domains. However, Parabol's licensing will need to be distinct for each of these joining organizations.

The partner's workflow is envisioned to be the following:

  1. When provisioning a new organization, they'll execute Parabol API calls with su access to set up the new organization:

    • They will create new Organization(s), and provision each organization with a parameter called something similar to SAMLOrgAttribute which will be used to match a user to a Parabol org
    • They will remove the su user from the Organization(s)

  2. When a user joins Parabol for the first time, authenticating with SAML:

    • They will send a request similar to:
   <saml:Attribute FriendlyName="email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute FriendlyName="username" Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jpaulo</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute FriendlyName="displayname" Name="displayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jpaulo</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute FriendlyName="organizations" Name="organizations" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">org-1</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">org-2</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">org-3</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">org-4</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">org-5</saml:AttributeValue>
      </saml:Attribute>
  • The user will be added to the Organization(s) matching to the organizations attribute, provided that the Parabol Organization exists and its SAMLOrgAttribute matches – creating a Personal Organization for that user (as we would normally)

Acceptance Criteria (optional)

su users can:

  • Configure (via our API) the name of the SAML attribute that houses the organizations attribute (used to match against a Parabol Organization's SAMLOrgAttribute field, and have this configuration persisted alongside the global SAML configuration for the instance (i.e. the implicit behavior when all other authentication modes are disabled for private instances)
  • Create, read, update, and delete (set to null) the SAMLOrgAttribute field on an Organization

New users:

  • When providing their identity to Parabol, send the configured attribute that contains the organization string or string. That is to say, this SAML attribute may be a single organization or a list of organization(s) (see example XML, above)
  • Each organization is matched against the SAMLOrgAttribute field in Parabol's Organization table
  • If the user does not exist on the organization, they are added to that Parabol Organization, creating and adding them to a personal team for them, if necessary

Estimated effort: 23 points (see CONTRIBUTING.md)

Related

#9375

Metadata

Metadata

Assignees

Labels

enhancement

Type

Feature

Projects

Product

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions