Managed objects (#519)

* managed: add base manager and Ops * core: use ManagedModel for Token and PropertyMapping * providers/saml: implement managed objects for SAML Provider * sources/ldap: migrate to managed * providers/oauth2: migrate to managed * providers/proxy: migrate to managed * *: load .managed in apps * managed: add reconcile task, run on startup * providers/oauth2: fix import path for managed * providers/saml: don't set FriendlyName when mapping is none * *: use ObjectManager in tests to ensure objects exist * ci: use vmImage ubuntu-latest * providers/saml: add new mapping for username and user id * tests: remove docker proxy * tests/e2e: use updated attribute names * docs: update SAML docs * tests/e2e: fix remaining saml cases * outposts: make tokens as managed * *: make PropertyMapping SerializerModel * web: add page for property-mappings * web: add codemirror to common_styles because codemirror * docs: fix member-of in nextcloud * docs: nextcloud add admin * web: fix refresh reloading data two times * web: add loading lock to table to prevent double loads * web: add ability to use null in QueryArgs (value will be skipped) * web: add hide option to property mappings * web: fix linting
2021-02-03 21:18:31 +01:00
parent f8f26d2a23
commit e25d03d8f4
71 changed files with 1014 additions and 284 deletions
--- a/website/docs/integrations/services/nextcloud/index.md
+++ b/website/docs/integrations/services/nextcloud/index.md
@ -42,7 +42,7 @@ In NextCloud, navigate to `Settings`, then `SSO & SAML Authentication`.

 Set the following values:

- Attribute to map the UID to.: `urn:oid:2.16.840.1.113730.3.1.241`
+- Attribute to map the UID to.: `http://schemas.goauthentik.io/2021/02/saml/username`
 - Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
 - Identifier of the IdP entity (must be a URI): `https://authentik.company`
 - URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
@ -50,9 +50,9 @@ Set the following values:

 Under Attribute mapping, set these values:

- Attribute to map the displayname to.: `urn:oid:2.5.4.3`
- Attribute to map the email address to.: `urn:oid:0.9.2342.19200300.100.1.3`
- Attribute to map the users groups to.: `member-of`
+- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
+- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
+- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`

 ## Group Quotas

@ -61,3 +61,18 @@ Create a group for each different level of quota you want users to have. Set a c
 Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
 Set the *SAML Name* to `nextcloud_quota`.
 Set the *Expression* to `return user.group_attributes.get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
+
+## Admin Group
+
+To give authentik users admin access to your NextCloud instance, you need to create a custom Property Mapping that maps an authentik group to "admin". It has to be mapped to "admin" as this is static in NextCloud and cannot be changed.
+
+Create a SAML Property mapping with the SAML Name "http://schemas.xmlsoap.org/claims/Group" and this expression:
+
+```python
+for group in user.ak_groups.all():
+    yield group.name
+if ak_is_group_member(request.user, name="<authentik nextcloud admin group's name>"):
+    yield "admin"
+```
+
+Then, edit the NextCloud SAML Provider, and replace the default Groups mapping with the one you've created above.