| contrib/paperless-ngx | ||
| src/allauth_sso_groups | ||
| .gitignore | ||
| README.md | ||
Inhaltsverzeichnis
django-allauth-sso-groups
Synchronisation of SSO groups/roles to existing Django groups for use with django-allauth. This app was created to add SSO group/role support to Paperless-ngx, as django-allauth does not natively support groups/roles. Even this app was created with Paperless-ngx in mind, it should work with other django-allauth scenarios, as well.
Important facts
-
The user's Django groups are overwritten with the groups as per SSO! This means that additionally assigned groups are deleted. This was deliberately implemented so that groups can also be subsequently removed again via SSO.
-
Only currently existing Django groups are considered. Non-existent groups are completely ignored, as users may have many groups not related to the current application.
-
The groups are only synchronised upon login, as this is the only time the necessary information is easily made available.
Mode of operation / design choices
This app operates by listening for the post_save signal for the SocialAccount model.
The signal is fired after a SocialAccount was saved, which happens during creation and login of a user.
The signal allauth.socialaccount.signals.pre_social_login was not used,
as this is fired to early for new users. During the frist login there is no local user (yet), when the signal is fired and therefore no groups can be added.
It would be possible to archive a similar functionality by using a custom SOCIALACCOUNT_ADAPTER,
but this would require to build custom Paperless-ngx container images. With the chosen approach,
it is sufficient to simply mount this app to the container and set it up as an additional app in Paperless-ngx.
There are example docker-compose files in the contrib/paperless-ngx directory.
Currently tested/supported SSO providers
Uffd (UserFerwaltungsFrontend)
Uffd groups are mapped to Django groups.
Django settings
SOCIALACCOUNT_PROVIDERS = {
"openid_connect": {
"SCOPE": [
"openid",
"profile",
"email",
"groups",
],
"APPS": [
{
"provider_id": "uffd",
"name": "My UFFD SSO",
"client_id": "MY_VERY_SECURE_CLIENT_ID",
"secret": "MY_VERY_SECURE_CLIENT_SECRET",
"settings": {
"server_url": "https://uffd.example.org/.well-known/openid-configuration",
"token_auth_method": "client_secret_basic",
}
},
]
},
}
Zitadel
Zitadel roles are mapped to Django groups.
Django settings (all roles)
Requires [X] Assert Roles on Authentication in the project settings.
SOCIALACCOUNT_PROVIDERS = {
"openid_connect": {
"SCOPE": [
"openid",
"profile",
"email",
"urn:zitadel:iam:org:project:roles",
],
"APPS": [
{
"provider_id": "zitadel",
"name": "My Zitadel SSO",
"client_id": "MY_VERY_SECURE_CLIENT_ID",
"secret": "MY_VERY_SECURE_CLIENT_SECRET",
"settings": {
"server_url": "https://zitadel.example.org/.well-known/openid-configuration",
"token_auth_method": "client_secret_basic",
}
},
]
},
}
Django settings (only listed roles)
SOCIALACCOUNT_PROVIDERS = {
"openid_connect": {
"SCOPE": [
"openid",
"profile",
"email",
"urn:zitadel:iam:org:project:role_foo",
"urn:zitadel:iam:org:project:role_bar"
],
"APPS": [
{
"provider_id": "zitadel",
"name": "My Zitadel SSO",
"client_id": "MY_VERY_SECURE_CLIENT_ID",
"secret": "MY_VERY_SECURE_CLIENT_SECRET",
"settings": {
"server_url": "https://zitadel.example.org/.well-known/openid-configuration",
"token_auth_method": "client_secret_basic",
}
},
]
},
}