SAML Group Mapping

Speicherbox · March 15, 2023, 6:47am

Dear Seafile Team,

is it possible to map SAML Group Membership with Seafile Groups or Departments during login of the user.

Use Case: Customer has multiple managed groups in Azure AD and he would like to map the users with the corresponding Seafile Department to manage the access to files and libraries.

As he already has multiple SAML apps with group mapping, he doesn’t want to manage the membership manually in Seafile.

It would be great if you could manage it to establish an Mapping between the group ID in Azure AD and Department ID in Seafile over Group Claims.

Reference: Configure group claims for applications by using Azure Active Directory - Microsoft Entra | Microsoft Learn

Is there any possibility to achieve this goal?

Thank you very much for your response!

Speicherbox · March 17, 2023, 9:02am

@daniel.pan do you see any possibility to sync saml groups

daniel.pan · March 20, 2023, 1:09am

We will give it a check in this week.

daniel.pan · March 21, 2023, 7:20am

I think to use SAML group mapping, the groups in Azure AD must first be synced to Seafile first? Is it possible to sync groups from Azure AD for this customer?

Speicherbox · March 21, 2023, 7:58am

Hello @daniel.pan , how shoud we sync the groups to seafile? Do you have any turtorial to do this?
As far as i can see, the onyl option is currently the LDAP-Sync. LDAP is no Option for our Customer.

daniel.pan · March 21, 2023, 8:59am

Can you send me a reference document on how another app handle group sync from Azure AD?

Speicherbox · March 22, 2023, 6:44am

Hello Daniel,

i think there are 2 possible ways, first is to extract the group claim from the saml response, where all the group memberships are located and then map those to a group ID in Seafile:

The other posibilty i see, is to use a extra field of the user to identify the Groups and map them to a Seafile Department or Group the User should be part of as ElasticSearch do it.

The attributes that are mapped via the realm configuration are used to process role mapping rules, and these rules determine which roles a user is granted.

The user fields that are provided to the role mapping are derived from the SAML attributes as follows:

username: The principal attribute
dn: The dn attribute
groups: The groups attribute
metadata: See User metadata
For more information, see Mapping users and groups to roles and Role mappings.

If your IdP has the ability to provide groups or roles to Service Providers, then you shouldd map this SAML attribute to the attributes.groups setting in the Elasticsearch realm, and then make use of it in a role mapping as per the example below.

I think the second one should be much easier to implement.
I hope this will help you.

Speicherbox · March 23, 2023, 3:50pm

@daniel.pan perhaps much easier:

Add a custom Field to the user in Azure AD or any other IDP for example user.departmentid
Enter the Seafile Department ID or Name (what is better for you) in this field
Parse the Field during SAML Logon like the Role Field and Assign the user to the corresponding department
In this case no mapping table or settings need to be done in seafile

Limitation: User could only be a member of one department. Perhaps no big issue for version 0.1

What do you think about that?

daniel.pan · March 24, 2023, 3:21am

The solution sound easy. But you need to let the customer create the departments or groups first. Is it okay for your customer?

Speicherbox · March 24, 2023, 6:33am

yes, this is no issue for my customer.

Speicherbox · March 28, 2023, 2:52pm

@daniel.pan do you have any informaiton about a possible implementation time for this feature?

daniel.pan · March 29, 2023, 5:47am

Does this customer use a dedicated Seafile system?

We can add such a feature in April.

Speicherbox · March 29, 2023, 5:59am

Hello Daniel, yes the customer use a dedicated Seafile system.