Social auth and SSO updates:

* Move auth backends into sso app.
* Add support for mapping social auth users into organizations and teams.
* Return social auth backends in a consistent order in the API.
* Remove custom SAML attribute mapping and use options provided by PSA.
* Add pipeline function to raise an exception if no user has been found or created; added comments on how to disable new user creation.
* Add comments for defining a custom social auth pipeline function.

awx/settings/defaults.py

@@ -2,6 +2,7 @@
 # All Rights Reserved.
 
 import os
+import re  # noqa
 import sys
 import djcelery
 from datetime import timedelta
@@ -217,13 +218,13 @@ REST_FRAMEWORK = {
 }
 
 AUTHENTICATION_BACKENDS = (
-    'awx.main.backend.LDAPBackend',
-    'awx.main.backend.RADIUSBackend',
+    'awx.sso.backends.LDAPBackend',
+    'awx.sso.backends.RADIUSBackend',
     'social.backends.google.GoogleOAuth2',
     'social.backends.github.GithubOAuth2',
     'social.backends.github.GithubOrganizationOAuth2',
     'social.backends.github.GithubTeamOAuth2',
-    'awx.main.backend.SAMLAuth',
+    'awx.sso.backends.SAMLAuth',
     'django.contrib.auth.backends.ModelBackend',
 )
 
@@ -355,13 +356,15 @@ SOCIAL_AUTH_PIPELINE = (
     'social.pipeline.social_auth.social_user',
     'social.pipeline.user.get_username',
     'social.pipeline.social_auth.associate_by_email',
-    'social.pipeline.mail.mail_validation',
     'social.pipeline.user.create_user',
+    'awx.sso.pipeline.check_user_found_or_created',
     'social.pipeline.social_auth.associate_user',
     'social.pipeline.social_auth.load_extra_data',
     'awx.sso.pipeline.set_is_active_for_new_user',
     'social.pipeline.user.user_details',
     'awx.sso.pipeline.prevent_inactive_login',
+    'awx.sso.pipeline.update_user_orgs',
+    'awx.sso.pipeline.update_user_teams',
 )
 
 SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = ''
@@ -390,14 +393,6 @@ SOCIAL_AUTH_SAML_TECHNICAL_CONTACT = {}
 SOCIAL_AUTH_SAML_SUPPORT_CONTACT = {}
 SOCIAL_AUTH_SAML_ENABLED_IDPS = {}
 
-SOCIAL_AUTH_SAML_ATTRS_PERMANENT_ID = "name_id"
-SOCIAL_AUTH_SAML_ATTRS_MAP = {
-    "first_name": "User.FirstName",
-    "last_name": "User.LastName",
-    "username": "User.email",
-    "email": "User.email",
-}
-
 SOCIAL_AUTH_LOGIN_URL = '/'
 SOCIAL_AUTH_LOGIN_REDIRECT_URL = '/sso/complete/'
 SOCIAL_AUTH_LOGIN_ERROR_URL = '/sso/error/'
@@ -411,6 +406,9 @@ SOCIAL_AUTH_CLEAN_USERNAMES = True
 SOCIAL_AUTH_SANITIZE_REDIRECTS = True
 SOCIAL_AUTH_REDIRECT_IS_HTTPS = False
 
+SOCIAL_AUTH_ORGANIZATION_MAP = {}
+SOCIAL_AUTH_TEAM_MAP = {}
+
 # Any ANSIBLE_* settings will be passed to the subprocess environment by the
 # celery task.
 

awx/settings/local_settings.py.docker_compose

@@ -525,8 +525,80 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS = {
     #    'url': 'https://myidp.example.com/sso',
     #    'x509cert': '',
     #},
+    #'onelogin': {
+    #    'entity_id': 'https://app.onelogin.com/saml/metadata/123456',
+    #    'url': 'https://example.onelogin.com/trust/saml2/http-post/sso/123456',
+    #    'x509cert': '',
+    #    'attr_user_permanent_id': 'name_id',
+    #    'attr_first_name': 'User.FirstName',
+    #    'attr_last_name': 'User.LastName',
+    #    'attr_username': 'User.email',
+    #    'attr_email': 'User.email',
+    #},
 }
 
+SOCIAL_AUTH_ORGANIZATION_MAP = {
+    # Add all users to the default organization.
+    'Default': {
+        'users': True,
+    },
+    #'Test Org': {
+    #    'admins': ['admin@example.com'],
+    #    'users': True,
+    #},
+    #'Test Org 2': {
+    #    'admins': ['admin@example.com', re.compile(r'^tower-[^@]+*?@.*$],
+    #    'users': re.compile(r'^[^@].*?@example\.com$'),
+    #},
+}
+
+#SOCIAL_AUTH_GOOGLE_OAUTH2_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORG_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_SAML_ORGANIZATION_MAP = {}
+
+SOCIAL_AUTH_TEAM_MAP = {
+    #'My Team': {
+    #    'organization': 'Test Org',
+    #    'users': ['re.compile(r'^[^@]+?@test\.example\.com$')'],
+    #    'remove': True,
+    #},
+    #'Other Team': {
+    #    'organization': 'Test Org 2',
+    #    'users': re.compile(r'^[^@]+?@test2\.example\.com$'),
+    #    'remove': False,
+    #},
+}
+
+#SOCIAL_AUTH_GOOGLE_OAUTH2_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORG_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_TEAM_MAP = {}
+#SOCIAL_AUTH_SAML_TEAM_MAP = {}
+
+# Uncomment one or more of the lines below to prevent new user accounts from
+# being created for the selected social auth providers.  Only users who have
+# previously logged in using social auth or have a user account with a matching
+# email address will be able to login.
+
+#SOCIAL_AUTH_USER_FIELDS = []
+#SOCIAL_AUTH_GOOGLE_OAUTH2_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_ORG_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_TEAM_USER_FIELDS = []
+#SOCIAL_AUTH_SAML_USER_FIELDS = []
+
+# It is also possible to add custom functions to the social auth pipeline for
+# more advanced organization and team mapping.  Use at your own risk.
+
+#def custom_social_auth_pipeline_function(backend, details, user=None, *args, **kwargs):
+#    print 'custom:', backend, details, user, args, kwargs
+
+#SOCIAL_AUTH_PIPELINE += (
+#    'awx.settings.development.custom_social_auth_pipeline_function',
+#)
+
 ###############################################################################
 # INVENTORY IMPORT TEST SETTINGS
 ###############################################################################

awx/settings/local_settings.py.example

@@ -523,8 +523,80 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS = {
     #    'url': 'https://myidp.example.com/sso',
     #    'x509cert': '',
     #},
+    #'onelogin': {
+    #    'entity_id': 'https://app.onelogin.com/saml/metadata/123456',
+    #    'url': 'https://example.onelogin.com/trust/saml2/http-post/sso/123456',
+    #    'x509cert': '',
+    #    'attr_user_permanent_id': 'name_id',
+    #    'attr_first_name': 'User.FirstName',
+    #    'attr_last_name': 'User.LastName',
+    #    'attr_username': 'User.email',
+    #    'attr_email': 'User.email',
+    #},
 }
 
+SOCIAL_AUTH_ORGANIZATION_MAP = {
+    # Add all users to the default organization.
+    'Default': {
+        'users': True,
+    },
+    #'Test Org': {
+    #    'admins': ['admin@example.com'],
+    #    'users': True,
+    #},
+    #'Test Org 2': {
+    #    'admins': ['admin@example.com', re.compile(r'^tower-[^@]+*?@.*$],
+    #    'users': re.compile(r'^[^@].*?@example\.com$'),
+    #},
+}
+
+#SOCIAL_AUTH_GOOGLE_OAUTH2_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORG_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_SAML_ORGANIZATION_MAP = {}
+
+SOCIAL_AUTH_TEAM_MAP = {
+    #'My Team': {
+    #    'organization': 'Test Org',
+    #    'users': ['re.compile(r'^[^@]+?@test\.example\.com$')'],
+    #    'remove': True,
+    #},
+    #'Other Team': {
+    #    'organization': 'Test Org 2',
+    #    'users': re.compile(r'^[^@]+?@test2\.example\.com$'),
+    #    'remove': False,
+    #},
+}
+
+#SOCIAL_AUTH_GOOGLE_OAUTH2_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORG_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_TEAM_MAP = {}
+#SOCIAL_AUTH_SAML_TEAM_MAP = {}
+
+# Uncomment one or more of the lines below to prevent new user accounts from
+# being created for the selected social auth providers.  Only users who have
+# previously logged in using social auth or have a user account with a matching
+# email address will be able to login.
+
+#SOCIAL_AUTH_USER_FIELDS = []
+#SOCIAL_AUTH_GOOGLE_OAUTH2_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_ORG_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_TEAM_USER_FIELDS = []
+#SOCIAL_AUTH_SAML_USER_FIELDS = []
+
+# It is also possible to add custom functions to the social auth pipeline for
+# more advanced organization and team mapping.  Use at your own risk.
+
+#def custom_social_auth_pipeline_function(backend, details, user=None, *args, **kwargs):
+#    print 'custom:', backend, details, user, args, kwargs
+
+#SOCIAL_AUTH_PIPELINE += (
+#    'awx.settings.development.custom_social_auth_pipeline_function',
+#)
+
 ###############################################################################
 # INVENTORY IMPORT TEST SETTINGS
 ###############################################################################

awx/settings/postprocess.py

@@ -7,10 +7,10 @@
 # settings as needed.
 
 if not AUTH_LDAP_SERVER_URI:
-    AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.main.backend.LDAPBackend']
+    AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.sso.backends.LDAPBackend']
 
 if not RADIUS_SERVER:
-    AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.main.backend.RADIUSBackend']
+    AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.sso.backends.RADIUSBackend']
 
 if not all([SOCIAL_AUTH_GOOGLE_OAUTH2_KEY, SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET]):
     AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'social.backends.google.GoogleOAuth2']
@@ -28,8 +28,7 @@ if not all([SOCIAL_AUTH_SAML_SP_ENTITY_ID, SOCIAL_AUTH_SAML_SP_PUBLIC_CERT,
             SOCIAL_AUTH_SAML_SP_PRIVATE_KEY, SOCIAL_AUTH_SAML_ORG_INFO,
             SOCIAL_AUTH_SAML_TECHNICAL_CONTACT, SOCIAL_AUTH_SAML_SUPPORT_CONTACT,
             SOCIAL_AUTH_SAML_ENABLED_IDPS]):
-    AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.main.backend.SAMLAuth']
+    AUTHENTICATION_BACKENDS = [x for x in AUTHENTICATION_BACKENDS if x != 'awx.sso.backends.SAMLAuth']
 
 if not AUTH_BASIC_ENABLED:
     REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] = [x for x in REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] if x != 'rest_framework.authentication.BasicAuthentication']
-