From b19d363355df23ef835bc1dada6503360e58aaee Mon Sep 17 00:00:00 2001 From: Maximilien Cuony Date: Fri, 10 May 2024 18:36:13 +0200 Subject: [PATCH] SAML team mapping documentation See https://github.com/kimai/kimai/pull/4770 --- _documentation/saml.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/_documentation/saml.md b/_documentation/saml.md index 25a8117df..3e2a7b99e 100644 --- a/_documentation/saml.md +++ b/_documentation/saml.md @@ -35,6 +35,12 @@ kimai: - { saml: Admin, kimai: ROLE_SUPER_ADMIN } - { saml: Manager, kimai: ROLE_ADMIN } - { saml: Teamlead, kimai: ROLE_TEAMLEAD } + teams: + resetOnLogin: true + attribute: groups + mapping: + # Insert your team-mapping there. You can find group IDs in the URL of your brower when you edit a group on kimai + - { saml: Example group, kimai: 1, leader: false } connection: idp: entityId: 'https://accounts.google.com/o/saml2?idpid=your-google-id' @@ -109,6 +115,11 @@ kimai: mapping: - { saml: Admin, kimai: ROLE_ADMIN } - { saml: Manager, kimai: ROLE_TEAMLEAD } + teams: + resetOnLogin: true + attribute: groups + mapping: + - { saml: Example group, kimai: 1, leader: false } ``` A brief description of the available fields: @@ -120,10 +131,14 @@ A brief description of the available fields: - `resetOnLogin` (bool) if `true` all user roles will be reset upon login and synced with the SAML roles, if `false` you can configure user roles in Kimai and only the mapped ones will be forced when the user logs-in (other roles will stick with the user) - config exists since 1.22.0 - `attribute` (string) the SAML attribute whose values are used for syncing the groups - `mapping` (array) an array of role name mappings. The `saml` key is your SAML role name (here `Admin` and `Manager`) and the key `kimai` (here `ROLE_ADMIN` and `ROLE_TEAMLEAD`) is the role name in Kimai. Unmapped roles from the SAML message will be IGNORED even if they are existing in Kimai. +- `teams` (array) settings related to the user teams syncing + - `resetOnLogin` (bool) if `true` all user teams will be reset upon login and synced with the SAML roles, if `false` you can configure user teams in Kimai and only the mapped ones will be forced when the user logs-in (other teams will stick with the user) + - `attribute` (string) the SAML attribute whose values are used for syncing the teams + - `mapping` (array) an array of role name mappings. The `saml` key is your SAML role name (here `Example group`), the key `kimai` (here 1) is the team id in Kimai and the key `leader` is a boolean specifing if the user should be leader of the team. You can find the team id in the URL of your browser when you edit a team. Unmapped teams from the SAML message will be IGNORED even if they are existing in Kimai. If you have troubles with your certificate you can [use this online tool](https://www.samltool.com/format_x509cert.php) to convert the X.509 cert into "string format". -{% include alert.html type="info" alert="User data and roles are synchronized during each login." %} +{% include alert.html type="info" alert="User data, roles and teams are synchronized during each login." %} {% include alert.html type="info" alert="Every user automatically owns the ROLE_USER role, you don't have to create a mapping for it." %} {% include alert.html type="warning" alert="Every user needs a username and email address, you cannot activate SAML without a mapping for the email. The username cannot be set from SAML attributes, but will always be taken from the SAML request." %}