OTSSigns/OTSSignsOrchestrator
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c2e03de8bbc6db689819fc13578a66da21d03778
OTSSignsOrchestrator/templates/settings-custom.php.template

103 lines
4.6 KiB
Plaintext
Raw Blame History

<?php
/**
* SAML Authentication Configuration with Group-Based Admin Assignment
*
* Group-Based Admin Assignment (AUTOMATIC):
* ────────────────────────────────────────────────────────────────────────
* The OTSSignsOrchestrator AUTOMATICALLY creates and configures:
*
* 1. A custom property mapping "saml-usertypeid" in Authentik that:
* - Returns "1" for users in the "OTS IT" group
* - Returns empty string for other users
*
* 2. Attaches this mapping to the SAML provider so the attribute is sent in SAML responses
*
* 3. Configures Xibo to read the usertypeid SAML attribute (see 'usertypeid' mapping below)
*
* Result: OTS IT members are automatically assigned as super-admins on SSO login.
* Other users are assigned normal permissions.
*
* If OTS IT members are NOT getting admin access:
* ────────────────────────────────────────────────────────────────────────
* 1. Check Authentik logs for "saml-usertypeid" mapping creation errors
* 2. Verify the mapping exists: Authentik → Customization → Property Mappings
* 3. Verify it's attached to the SAML provider: Authentik → Providers → SAML → Properties
* 4. Enable Xibo SAML debug logging below ('debug' => true) and check xibo.log after login
* 5. Check SAML assertion in browser dev tools (Network tab, catch SAML response)
*
* Excluded Groups:
* ────────────────────────────────────────────────────────────────────────
* Groups listed in {{EXCLUDED_GROUPS}} are not synced to Xibo during provisioning.
* However, users in excluded groups can still log in via SSO (they'll use the
* default 'Users' group). Use this to prevent internal admin groups from appearing
* as Xibo user groups.
*/
$authentication = new \Xibo\Middleware\SAMLAuthentication();
$samlSettings = [
'workflow' => [
'jit' => true,
'field_to_identify' => 'UserName',
'libraryQuota' => 1000,
'homePage' => 'icondashboard.view',
'slo' => true,
'mapping' => [
'UserID' => '',
// usertypeid: Set to 1 (super-admin) for members of OTS IT group.
// The saml-usertypeid custom property mapping (auto-created during provisioning)
// outputs this attribute. Xibo's JIT provisioning reads it and auto-assigns admins.
'usertypeid' => 'saml-usertypeid',
'UserName' => 'http://schemas.goauthentik.io/2021/02/saml/username',
'email' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
],
'group' => 'Users',
'matchGroups' => [
'enabled' => true,
'attribute' => 'http://schemas.goauthentik.io/2021/02/saml/groups',
'extractionRegEx' => null,
],
],
'strict' => true,
'debug' => true,
'baseurl' => '{{SAML_BASE_URL}}',
'idp' => [
'entityId' => '{{AUTHENTIK_IDP_ENTITY_ID}}',
'singleSignOnService' => [
'url' => '{{AUTHENTIK_SSO_URL}}',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
],
'singleLogoutService' => [
'url' => '{{AUTHENTIK_SLO_URL}}',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
],
'x509cert' => '{{AUTHENTIK_IDP_X509_CERT}}',
],
'sp' => [
'entityId' => '{{SAML_SP_ENTITY_ID}}',
'assertionConsumerService' => [
'url' => '{{SAML_BASE_URL}}/acs',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
],
'singleLogoutService' => [
'url' => '{{SAML_BASE_URL}}/sls',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
],
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
'x509cert' => '',
'privateKey' => '',
],
'security' => [
'nameIdEncrypted' => false,
'authnRequestsSigned' => false,
'logoutRequestSigned' => false,
'logoutResponseSigned' => false,
'signMetadata' => false,
'wantMessagesSigned' => false,
'wantAssertionsSigned' => false,
'wantAssertionsEncrypted' => false,
'wantNameIdEncrypted' => false,
],
];
// {{ EXCLUDED_GROUPS_COMMENT: Groups to exclude from Xibo sync: OTS IT }}
Reference in New Issue View Git Blame Copy Permalink