SAML2 Authorization configuration

[artgoldberg]

Hello Leaf Folks

The Leaf installation documentation suggests this starting point for configuring SAML2 authentication and authorization in the Leaf API appsettings:

"Authentication": {
    "Mechanism": "SAML2",
    ...
    "SAML2": {
    "Headers": {
        "ScopedIdentity": "eppn"
        }
    }
},
"Authorization": {
    "Mechanism": "SAML2",
    "SAML2": {
    "HeadersMapping": {
        "Entitlements": {
            "Name": "gws_groups",
            "Delimiter": ";"
        }
    },
    "RolesMapping": {
        "User": "urn:mace:washington.edu:groups:uw_leaf_users",
        "Super": "NOT_USED",
        "Identified": "urn:mace:washington.edu:groups:uw_leaf_identified",
        "Admin": "urn:mace:washington.edu:groups:uw_leaf_admins"
    }
},

I'm currently working on getting SAML2 authentication working. I know that our SAML2 IdP (Azure AD) will return emailaddress as a claim name, which I think is a SAML2 attribute. This is its configuration:

Therefore, I'm configuring authentication like this:

"Authentication": {
  "Mechanism": "SAML2",
  "SessionTimeoutMinutes": 480,
  "InactivityTimeoutMinutes": 20,
  "LogoutURI": "https://login.microsoftonline.com/ uid redacted /saml2",
  "SAML2": {
    "Headers": {
      "ScopedIdentity": "emailaddress"
    }
  }
},

Short-term, until SAML2 authentication works, how should I configure authorization so that all users who login are super users?

Thanks
Arthur

[ndobb]

Hi @artgoldberg and sorry for the slow response. Hopefully, I'm not misunderstanding, but these are claims used essentially for identifying users (ie, authentication) rather than entitlements which Leaf would map to roles (authorization), right?

What entitlements are coming across from Shibboleth?