Skip to content

Support filtering users in the SAML auth provider by LDAP group membership

Created by: miveronese

In our current SAML implementation, when a user logs in/tries to sign up, our backend receives, from our customers Identity Providers (via a POST request to the /acs endpoint), an XML file that contains information such as username, email and display name. But we can retrieve more information and use this information to grant/limit access to Sourcegraph.

Options:

  • the user object could have an extra attribute such as "sourcegraph: true"
  • or we could use other field (added as an attribute statement, for example) that the user defines and translates to truth

References: Okta - supports Attribute Stamens and also Group Statements OneLogin, Azure AD, PingOne, AD FS also allow users to add Attribute Statements.

Subtasks:

  • Determine how we want to add additional attributes to the user object for SAML
  • Do the actual filtering of users for SAML (before the actual user object is created in the database)
  • Make the filter configurable with site config, similar to how we can filter github orgs