Hi, I was able to assign
Following response is recieved in Groups:
<saml:Attribute Name="Groups">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">18029425,10790416</saml:AttributeValue>
</saml:Attribute>
The security level grants are weird, as they don’t have Administrator or User, rather the string itself.
Any idea how I can assign Administrator to 10790416 and User to the other one?
I’m reading about runScript too, but wanted to make sure: Can I make a runScript and paste it directly into the User Attributed Mapping> “Roles” > Expression textbox?
I'm pretty sure you want the special containsAny expression here:
Can you give me a clearer way of doing this?
So: in Administrator security expression/RULE, should I type in:
ContainsAny(‘10790416’)
I think that in theory it would be something like this:
containsAny(
{multi-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name="Groups"]/saml2:AttributeValue/text()},
10790416
)
Based on combining these two pages:
But that may not work, because I think the fact that your IdP is returning the two roles as one string will make things harder. Normally you'd expect an actual multi-value collection in the XML/JSON response from the identity provider, but you're just getting a string that happens to contain a comma.
I expect you can still get around it somehow, possibly requiring runScript, but this is well outside of my area of expertise.
I changed it now on the IDP side, so it shows up like this:
<saml:Attribute Name="Groups">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">18029425</saml:AttributeValue>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">10790416</saml:AttributeValue>
</saml:Attribute>
Now I’m getting two separate entries here: But Administrator and User is still not visible:
I included these under Security Level Rules for Administrator and User:
containsAny(
{multi-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name="Groups"]/saml2:AttributeValue/text()},
10790416
)
Mapped roles look like this:
You cannot configure how Role-based Security Levels are granted through User Grants or Security Level Rules.
Role-based Security Levels are granted based on the roles mapped onto the User.
Instead, you’ll need to properly set up the User Attribute Mapping for the Roles attribute.
Here’s a post for how someone else solved this using the runScript expression function inside an expression user attribute mapping: Easiest way to map AD roles to the default security levels - #2 by colethorton
You might upvote this idea linked from the above post: Active Directory Role Mapping | Voters | Inductive Automation
If your role map is simple enough, you might get away with using the case expression function instead of runScript: case | Ignition User Manual
3 Likes
Great! I was able to finally get it via the Roles.
My runScript:
runScript("0\nimport java.util.ArrayList as ArrayList\nroles = ArrayList()\ngroups = '" + toString({multi-attribute-source:authnResponse://saml:Attribute[@Name='Groups']/saml:AttributeValue/text()}) + "'\nif '10790416' in groups:\n\troles.add('Administrator')\nif '18029425' in groups:\n\troles.add('User')\n__RESULT = roles")
1 Like
