feat: Update Authentik integration and enhance Docker Compose templates

templates/settings-custom.php.template

@@ -2,20 +2,28 @@
 /**
  * SAML Authentication Configuration with Group-Based Admin Assignment
  *
- * Group-Based Admin Assignment:
+ * Group-Based Admin Assignment (AUTOMATIC):
  * ────────────────────────────────────────────────────────────────────────
- * To make members of specific Authentik groups admins in Xibo:
+ * The OTSSignsOrchestrator AUTOMATICALLY creates and configures:
  *
- * 1. In Authentik, create a custom property mapping for your SAML provider:
- *    - Name: saml-usertypeid
- *    - Expression: Return "1" if user in admin group, else return empty string
- *    - Example: return "1" if user.groups.all() | selectattr("name", "equalto", "OTS IT") else ""
+ * 1. A custom property mapping "saml-usertypeid" in Authentik that:
+ *    - Returns "1" for users in the "OTS IT" group
+ *    - Returns empty string for other users
  *
- * 2. Attach this mapping to the SAML provider via the API or UI
+ * 2. Attaches this mapping to the SAML provider so the attribute is sent in SAML responses
  *
- * 3. The usertypeid mapping below will read this attribute from the SAML response
+ * 3. Configures Xibo to read the usertypeid SAML attribute (see 'usertypeid' mapping below)
  *
- * 4. On JIT provisioning, Xibo will assign users with usertypeid=1 as super-admins
+ * Result: OTS IT members are automatically assigned as super-admins on SSO login.
+ *         Other users are assigned normal permissions.
+ *
+ * If OTS IT members are NOT getting admin access:
+ * ────────────────────────────────────────────────────────────────────────
+ * 1. Check Authentik logs for "saml-usertypeid" mapping creation errors
+ * 2. Verify the mapping exists: Authentik → Customization → Property Mappings
+ * 3. Verify it's attached to the SAML provider: Authentik → Providers → SAML → Properties
+ * 4. Enable Xibo SAML debug logging below ('debug' => true) and check xibo.log after login
+ * 5. Check SAML assertion in browser dev tools (Network tab, catch SAML response)
  *
  * Excluded Groups:
  * ────────────────────────────────────────────────────────────────────────
@@ -35,9 +43,10 @@ $samlSettings = [
         'slo' => true,
         'mapping' => [
             'UserID' => '',
-            // usertypeid: Set to 1 (super-admin) for members of admin groups.
-            // Requires a custom SAML property mapping in Authentik (see notes above).
-            'usertypeid' => 'http://schemas.goauthentik.io/2021/02/saml/usertypeid',
+            // usertypeid: Set to 1 (super-admin) for members of OTS IT group.
+            // The saml-usertypeid custom property mapping (auto-created during provisioning)
+            // outputs this attribute. Xibo's JIT provisioning reads it and auto-assigns admins.
+            'usertypeid' => 'saml-usertypeid',
             'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',
             'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
         ],

templates/template.yml

@@ -43,6 +43,8 @@ services:
         aliases:
           - web
     deploy:
+      placement:
+        constraints: [node.role == worker]
       restart_policy:
         condition: any
       resources:
@@ -57,6 +59,8 @@ services:
         aliases:
           - memcached
     deploy:
+      placement:
+        constraints: [node.role == worker]
       restart_policy:
         condition: any
       resources:
@@ -70,6 +74,8 @@ services:
         aliases:
           - quickchart
     deploy:
+      placement:
+        constraints: [node.role == worker]
       restart_policy:
         condition: any
 
@@ -84,6 +90,8 @@ services:
     networks:
       {{ABBREV}}-net: {}
     deploy:
+      placement:
+        constraints: [node.role == worker]
       restart_policy:
         condition: any