add feature to use saml and ldap groups in parallel #456
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
i opened a similar PR 2 years ago, but no new features were added at that time. We kept a fork of cf-mgmt for the last to yours and I recently saw that there were a lot of changes in cf-mgmt upstream. I just integrated the changes in our forkt and wanted to talk about a possible integration of our "feature" again. Maybe it is of interest now.
We are a user of VMware Tanzu Application Service and are using LDAP as well as SAML in a way that cf-mgmt does not support at the moment.
The problem:
We use ldap_groups to create our human users in uaa. When utilizing the ldap_groups attribute. The groups are read via ldap and users are created with saml origin, when we configure saml. This works well for human users as we need SAML and MFA there, but it does not work for our centrally managed service users (local uaa users no longer allowed due to compliance issues). It would be possible to add the service users via ldap_users attribute, but we wanted to use groups for our service users, too.
our solution:
we added a new attributes. ldapOrigin additonally to origin in the ldap config and saml_groups for spaceconfig/orgconfig.
If ldapOrigin ist given, cf-mgmt runs in ldap AND saml group mode. If not everything works downwards compatible.
ldap AND saml group mode makes it possible to provide saml_groups (groups are read via ldap but users are created with saml origin) and ldap_groups (groups are read via ldap and are created with ldap origin)
In addtion we added saml and ldap user filters. Basically a regex to determine which users in the group should be created.
Are you interested in adding this feature or is the use case too special ?