feat: Implement customer invitation infrastructure in Authentik

- Added IInvitationSetupService and InvitationSetupService to orchestrate the setup of invitation infrastructure for customers. - Introduced methods for creating groups, enrollment flows, invitation stages, roles, and policies in Authentik. - Updated PostInstanceInitService to call the new invitation setup methods during post-initialization. - Enhanced InstanceService to pass customer name during SAML configuration deployment. - Updated App.axaml.cs to register the new IInvitationSetupService. - Modified settings-custom.php.template to include documentation for SAML authentication configuration with group-based admin assignment. - Added logic to exclude specific groups from being synced to Xibo during group synchronization.
2026-03-04 21:58:59 -05:00
parent 9493bdb9df
commit 150549a20d
8 changed files with 1305 additions and 8 deletions
--- a/templates/settings-custom.php.template
+++ b/templates/settings-custom.php.template
@@ -1,4 +1,30 @@
 <?php
+/**
+ * SAML Authentication Configuration with Group-Based Admin Assignment
+ *
+ * Group-Based Admin Assignment:
+ * ────────────────────────────────────────────────────────────────────────
+ * To make members of specific Authentik groups admins in Xibo:
+ *
+ * 1. In Authentik, create a custom property mapping for your SAML provider:
+ *    - Name: saml-usertypeid
+ *    - Expression: Return "1" if user in admin group, else return empty string
+ *    - Example: return "1" if user.groups.all() | selectattr("name", "equalto", "OTS IT") else ""
+ *
+ * 2. Attach this mapping to the SAML provider via the API or UI
+ *
+ * 3. The usertypeid mapping below will read this attribute from the SAML response
+ *
+ * 4. On JIT provisioning, Xibo will assign users with usertypeid=1 as super-admins
+ *
+ * Excluded Groups:
+ * ────────────────────────────────────────────────────────────────────────
+ * Groups listed in {{EXCLUDED_GROUPS}} are not synced to Xibo during provisioning.
+ * However, users in excluded groups can still log in via SSO (they'll use the
+ * default 'Users' group). Use this to prevent internal admin groups from appearing
+ * as Xibo user groups.
+ */
+
 $authentication = new \Xibo\Middleware\SAMLAuthentication();
 $samlSettings = [
    'workflow' => [
@@ -9,7 +35,9 @@ $samlSettings = [
        'slo' => true,
        'mapping' => [
            'UserID' => '',
-            'usertypeid' => '',
+            // usertypeid: Set to 1 (super-admin) for members of admin groups.
+            // Requires a custom SAML property mapping in Authentik (see notes above).
+            'usertypeid' => 'http://schemas.goauthentik.io/2021/02/saml/usertypeid',
            'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',
            'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
        ],
@@ -61,3 +89,5 @@ $samlSettings = [
        'wantNameIdEncrypted' => false,
    ],
 ];
+
+// {{ EXCLUDED_GROUPS_COMMENT: Groups to exclude from Xibo sync: OTS IT }}