Is there a way to setup an IdP using SAML for authentication but use a database for getting the roles? Our application has roles that are managed outside of active directory so the roles that the IdP provides have nothing to do with the security that is needed inside the project. I was thinking there would be some like User Source AD/Database Hybrid but for Identity Providers.
I could build something custom to look up the users roles from the database inside the project but then i would not be able to use the Ignition security features inside components such as buttons. And i also would not be able to use the security levels on starting up the session.
There is no first-class way to do what you are asking.
I was going to recommend using an expression attribute mapper for the Roles attribute. Assuming you have a user source set up with all of the users that can log in from your IdP and their associated roles, you could write an expression that uses the runScript() function which invokes a script which calls system.user.getUser("userSourceName", "userName").getRoles(). Unfortunately, there is a bug that I just discovered and logged when I tried to do just that, which prevents you from using the runScript() expression function in an attribute mapper expression. Once this bug is fixed, Iâd probably recommend this as the best solution.
Only other idea I can think of for now is to create a custom security level for each set of roles/permissions you need. In the IdPâs security level rules, you can author an expression for each of these custom security levels which uses the hasRole expression function. It will return true or false depending on if the user with the given username and usersource has the target role. This is not an ideal solution since youâd have to call hasRole for each role you require and youâd need to create a security level for each set of roles/permissions you need in your project, which I could see as growing unreasonably large for more complex projects. Also, this solution wouldnât work for areas of the product which do not use security levels and instead rely on roles/security zones (such as Vision), but just thought Iâd throw it out there in case this might be an acceptable workaround for your situation.
where MySQL_User_Source is the name of my user source profile.
Since we are passing jython source code as a string to the runScript expression function, we need to embed the username in the part of the source code where the username argument goes to the system.user.getUser script function using string concatenation (string concatenation is handled by the Ignition expression itself). Just swap my XPath expression (/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID/text()) with the XPath expression you need to dereference the username in your SAML response and it should work.
The User Source test-DB-only is a Database Only type. There was an object in the Auth response called âuserInfoâ with a parameter ânameâ that had the username value I needed.