Social auth and SSO updates:

* Move auth backends into sso app. * Add support for mapping social auth users into organizations and teams. * Return social auth backends in a consistent order in the API. * Remove custom SAML attribute mapping and use options provided by PSA. * Add pipeline function to raise an exception if no user has been found or created; added comments on how to disable new user creation. * Add comments for defining a custom social auth pipeline function.
2026-04-01 00:05:07 -02:30 · 2015-11-08 23:52:13 -05:00
parent 9829d83839
commit cd447bed96
9 changed files with 304 additions and 35 deletions
--- a/awx/settings/local_settings.py.example
+++ b/awx/settings/local_settings.py.example
@@ -523,8 +523,80 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS = {
    #    'url': 'https://myidp.example.com/sso',
    #    'x509cert': '',
    #},
+    #'onelogin': {
+    #    'entity_id': 'https://app.onelogin.com/saml/metadata/123456',
+    #    'url': 'https://example.onelogin.com/trust/saml2/http-post/sso/123456',
+    #    'x509cert': '',
+    #    'attr_user_permanent_id': 'name_id',
+    #    'attr_first_name': 'User.FirstName',
+    #    'attr_last_name': 'User.LastName',
+    #    'attr_username': 'User.email',
+    #    'attr_email': 'User.email',
+    #},
 }

+SOCIAL_AUTH_ORGANIZATION_MAP = {
+    # Add all users to the default organization.
+    'Default': {
+        'users': True,
+    },
+    #'Test Org': {
+    #    'admins': ['admin@example.com'],
+    #    'users': True,
+    #},
+    #'Test Org 2': {
+    #    'admins': ['admin@example.com', re.compile(r'^tower-[^@]+*?@.*$],
+    #    'users': re.compile(r'^[^@].*?@example\.com$'),
+    #},
+}
+
+#SOCIAL_AUTH_GOOGLE_OAUTH2_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORG_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_ORGANIZATION_MAP = {}
+#SOCIAL_AUTH_SAML_ORGANIZATION_MAP = {}
+
+SOCIAL_AUTH_TEAM_MAP = {
+    #'My Team': {
+    #    'organization': 'Test Org',
+    #    'users': ['re.compile(r'^[^@]+?@test\.example\.com$')'],
+    #    'remove': True,
+    #},
+    #'Other Team': {
+    #    'organization': 'Test Org 2',
+    #    'users': re.compile(r'^[^@]+?@test2\.example\.com$'),
+    #    'remove': False,
+    #},
+}
+
+#SOCIAL_AUTH_GOOGLE_OAUTH2_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_ORG_TEAM_MAP = {}
+#SOCIAL_AUTH_GITHUB_TEAM_TEAM_MAP = {}
+#SOCIAL_AUTH_SAML_TEAM_MAP = {}
+
+# Uncomment one or more of the lines below to prevent new user accounts from
+# being created for the selected social auth providers.  Only users who have
+# previously logged in using social auth or have a user account with a matching
+# email address will be able to login.
+
+#SOCIAL_AUTH_USER_FIELDS = []
+#SOCIAL_AUTH_GOOGLE_OAUTH2_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_ORG_USER_FIELDS = []
+#SOCIAL_AUTH_GITHUB_TEAM_USER_FIELDS = []
+#SOCIAL_AUTH_SAML_USER_FIELDS = []
+
+# It is also possible to add custom functions to the social auth pipeline for
+# more advanced organization and team mapping.  Use at your own risk.
+
+#def custom_social_auth_pipeline_function(backend, details, user=None, *args, **kwargs):
+#    print 'custom:', backend, details, user, args, kwargs
+
+#SOCIAL_AUTH_PIPELINE += (
+#    'awx.settings.development.custom_social_auth_pipeline_function',
+#)
+
 ###############################################################################
 # INVENTORY IMPORT TEST SETTINGS
 ###############################################################################