[Solved] SAML Group Mapping

Dear Seafile Team,

is it possible to map SAML Group Membership with Seafile Groups or Departments during login of the user.

Use Case: Customer has multiple managed groups in Azure AD and he would like to map the users with the corresponding Seafile Department to manage the access to files and libraries.

As he already has multiple SAML apps with group mapping, he doesn’t want to manage the membership manually in Seafile.

It would be great if you could manage it to establish an Mapping between the group ID in Azure AD and Department ID in Seafile over Group Claims.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

Is there any possibility to achieve this goal?

Thank you very much for your response!

@daniel.pan do you see any possibility to sync saml groups

We will give it a check in this week.

I think to use SAML group mapping, the groups in Azure AD must first be synced to Seafile first? Is it possible to sync groups from Azure AD for this customer?

Hello @daniel.pan , how shoud we sync the groups to seafile? Do you have any turtorial to do this?
As far as i can see, the onyl option is currently the LDAP-Sync. LDAP is no Option for our Customer.

Can you send me a reference document on how another app handle group sync from Azure AD?

Hello Daniel,

i think there are 2 possible ways, first is to extract the group claim from the saml response, where all the group memberships are located and then map those to a group ID in Seafile:

The other posibilty i see, is to use a extra field of the user to identify the Groups and map them to a Seafile Department or Group the User should be part of as ElasticSearch do it.

The attributes that are mapped via the realm configuration are used to process role mapping rules, and these rules determine which roles a user is granted.

The user fields that are provided to the role mapping are derived from the SAML attributes as follows:

username: The principal attribute
dn: The dn attribute
groups: The groups attribute
metadata: See User metadata
For more information, see Mapping users and groups to roles and Role mappings.

If your IdP has the ability to provide groups or roles to Service Providers, then you shouldd map this SAML attribute to the attributes.groups setting in the Elasticsearch realm, and then make use of it in a role mapping as per the example below.

I think the second one should be much easier to implement.
I hope this will help you.

@daniel.pan perhaps much easier:

  • Add a custom Field to the user in Azure AD or any other IDP for example user.departmentid
  • Enter the Seafile Department ID or Name (what is better for you) in this field
  • Parse the Field during SAML Logon like the Role Field and Assign the user to the corresponding department
  • In this case no mapping table or settings need to be done in seafile

Limitation: User could only be a member of one department. Perhaps no big issue for version 0.1

What do you think about that?

The solution sound easy. But you need to let the customer create the departments or groups first. Is it okay for your customer?

yes, this is no issue for my customer.

@daniel.pan do you have any informaiton about a possible implementation time for this feature?

Does this customer use a dedicated Seafile system?

We can add such a feature in April.

Hello Daniel, yes the customer use a dedicated Seafile system.

@daniel.pan do you have any update regarding the development of the feature?

Can you check if this is what you need:

The list of groups of a user will be read from attribute seafile_groups. During login, the user will be added to new groups and removed from missed groups.

@daniel.pan thank you very much. the sync works as expected. can you merge the commit into any future release and close the request?

Glad to hear the feature can work. It will be included in version 11.0.

1 Like