is it possible to map SAML Group Membership with Seafile Groups or Departments during login of the user.
Use Case: Customer has multiple managed groups in Azure AD and he would like to map the users with the corresponding Seafile Department to manage the access to files and libraries.
As he already has multiple SAML apps with group mapping, he doesn’t want to manage the membership manually in Seafile.
It would be great if you could manage it to establish an Mapping between the group ID in Azure AD and Department ID in Seafile over Group Claims.
I think to use SAML group mapping, the groups in Azure AD must first be synced to Seafile first? Is it possible to sync groups from Azure AD for this customer?
Hello @daniel.pan , how shoud we sync the groups to seafile? Do you have any turtorial to do this?
As far as i can see, the onyl option is currently the LDAP-Sync. LDAP is no Option for our Customer.
i think there are 2 possible ways, first is to extract the group claim from the saml response, where all the group memberships are located and then map those to a group ID in Seafile:
The other posibilty i see, is to use a extra field of the user to identify the Groups and map them to a Seafile Department or Group the User should be part of as ElasticSearch do it.
The attributes that are mapped via the realm configuration are used to process role mapping rules, and these rules determine which roles a user is granted.
The user fields that are provided to the role mapping are derived from the SAML attributes as follows:
username: The principal attribute
dn: The dn attribute
groups: The groups attribute
metadata: See User metadata
For more information, see Mapping users and groups to roles and Role mappings.
If your IdP has the ability to provide groups or roles to Service Providers, then you shouldd map this SAML attribute to the attributes.groups setting in the Elasticsearch realm, and then make use of it in a role mapping as per the example below.
I think the second one should be much easier to implement.
I hope this will help you.
The list of groups of a user will be read from attribute seafile_groups. During login, the user will be added to new groups and removed from missed groups.