From 4318ffdd468e437d832d0b56abd7161edba022c0 Mon Sep 17 00:00:00 2001 From: Michael Mandrus <41969079+mmandrus@users.noreply.github.com> Date: Fri, 8 Apr 2022 18:47:07 -0400 Subject: [PATCH] SAML: Allow disabling of SAML signups (#47481) * Add new error message for signup not allowed errors * Add documentation on new SAML signup option * Accept documentation feedback Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * Accept documentation feedback Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> * run prettier:write Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com> --- docs/sources/enterprise/saml.md | 5 +++++ pkg/services/login/login.go | 1 + pkg/services/login/loginservice/loginservice.go | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/sources/enterprise/saml.md b/docs/sources/enterprise/saml.md index 903af76fc9c..3e4c695d9f2 100644 --- a/docs/sources/enterprise/saml.md +++ b/docs/sources/enterprise/saml.md @@ -46,6 +46,7 @@ The table below describes all SAML configuration options. Continue reading below | ---------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | | `enabled` | No | Whether SAML authentication is allowed | `false` | | `single_logout` | No | Whether SAML Single Logout enabled | `false` | +| `allow_sign_up` | No | Whether to allow new Grafana user creation through SAML login. If set to `false`, then only existing Grafana users can log in with SAML. | `true` | | `allow_idp_initiated` | No | Whether SAML IdP-initiated login is allowed | `false` | | `certificate` or `certificate_path` | Yes | Base64-encoded string or Path for the SP X.509 certificate | | | `private_key` or `private_key_path` | Yes | Base64-encoded string or Path for the SP private key | | @@ -142,6 +143,10 @@ For Grafana to map the user information, it looks at the individual attributes w Grafana provides configuration options that let you modify which keys to look at for these values. The data we need to create the user in Grafana is Name, Login handle, and email. +### Allow new user signups + +By default, new Grafana users using SAML authentication will have an account created for them automatically. To decouple authentication and account creation and ensure only users with existing accounts can log in with SAML, set the `allow_sign_up` option to false. + ### Configure team sync > Team sync support for SAML only available in Grafana v7.0+ diff --git a/pkg/services/login/login.go b/pkg/services/login/login.go index c698ee55dbe..18b5381e552 100644 --- a/pkg/services/login/login.go +++ b/pkg/services/login/login.go @@ -11,6 +11,7 @@ var ( ErrInvalidCredentials = errors.New("invalid username or password") ErrUsersQuotaReached = errors.New("users quota reached") ErrGettingUserQuota = errors.New("error getting user quota") + ErrSignupNotAllowed = errors.New("system administrator has disabled signup") ) type TeamSyncFunc func(user *models.User, externalUser *models.ExternalUserInfo) error diff --git a/pkg/services/login/loginservice/loginservice.go b/pkg/services/login/loginservice/loginservice.go index a8f4f30837b..ae82f81317e 100644 --- a/pkg/services/login/loginservice/loginservice.go +++ b/pkg/services/login/loginservice/loginservice.go @@ -56,7 +56,7 @@ func (ls *Implementation) UpsertUser(ctx context.Context, cmd *models.UpsertUser } if !cmd.SignupAllowed { cmd.ReqContext.Logger.Warn("Not allowing login, user not found in internal user database and allow signup = false", "authmode", extUser.AuthModule) - return login.ErrInvalidCredentials + return login.ErrSignupNotAllowed } limitReached, err := ls.QuotaService.QuotaReached(cmd.ReqContext, "user")