Skip to content

auth.admin.saml.groovy-permission-mapper

Specify the location of the Groovy class which maps SAML users to their permissions.

Key: auth.admin.saml.groovy-permission-mapper
Type: File
Can be set in: global.cfg

Desciption

Sets the path to a groovy script implementing a mapping from SAML credentials provided by the identify provider to objects representing Funnelback Users.

The following example script provides a simple example in which the groovy script simply loads the 'admin.ini' file for all valid SAML users. In practice a script would likely interrogate the given SAMLCredential, and load or create a suitable user object which grants permissions appropriate for the user.

import com.funnelback.springmvc.api.config.security.saml.SamlFunnelbackUserMapper;
import org.springframework.security.saml.SAMLCredential;
import com.funnelback.springmvc.api.config.security.user.model.FunnelbackUser;
import com.funnelback.springmvc.api.config.security.user.service.FunnelbackUserDetailsService;

import java.io.File

import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class ExampleGroovySamlFunnelbackUserMapper 
        implements SamlFunnelbackUserMapper {

    public FunnelbackUser getSAMLDerivedUser(
        SAMLCredential credential,
        FunnelbackUserDetailsService funnelbackUserDetailsService,
        File searchHome)
            throws UsernameNotFoundException {
        // Treat all valid SAML users as admins
        FunnelbackUser user = funnelbackUserDetailsService
                                .loadUserByUsername("admin");

        // Ensure we don't let them try to change passwords etc.
        user = user.withIsLocallyAuthenticated(false);

        return user;
    }
}

The file containing the script can be located anywhere so long as it is readable by the Funnelback jetty web server. Further detail about the provided SAMLCredential object is available within the spring security SAML documentation.

⚠ Caveats

This setting requires Jetty to be restarted to take effect.

See Also

top

Funnelback logo
v15.16.0