IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

SAML: Allow disabling of SAML signups (#47481)

Browse Source 
* Add new error message for signup not allowed errors

* Add documentation on new SAML signup option

* Accept documentation feedback

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Accept documentation feedback

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* run prettier:write

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
This commit is contained in:
Michael Mandrus 2022-04-08 18:47:07 -04:00 committed by GitHub
parent 99bb6ebd2b
commit 4318ffdd46
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/sources/enterprise/saml.md
View File

@ -46,6 +46,7 @@ The table below describes all SAML configuration options. Continue reading below
| ---------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `enabled` | No | Whether SAML authentication is allowed | `false` |
| `single_logout` | No | Whether SAML Single Logout enabled | `false` |
| `allow_sign_up` | No | Whether to allow new Grafana user creation through SAML login. If set to `false`, then only existing Grafana users can log in with SAML. | `true` |
| `allow_idp_initiated` | No | Whether SAML IdP-initiated login is allowed | `false` |
| `certificate` or `certificate_path` | Yes | Base64-encoded string or Path for the SP X.509 certificate | |
| `private_key` or `private_key_path` | Yes | Base64-encoded string or Path for the SP private key | |
@ -142,6 +143,10 @@ For Grafana to map the user information, it looks at the individual attributes w
Grafana provides configuration options that let you modify which keys to look at for these values. The data we need to create the user in Grafana is Name, Login handle, and email.
### Allow new user signups
By default, new Grafana users using SAML authentication will have an account created for them automatically. To decouple authentication and account creation and ensure only users with existing accounts can log in with SAML, set the `allow_sign_up` option to false.
### Configure team sync
> Team sync support for SAML only available in Grafana v7.0+

1
pkg/services/login/login.go
View File

@ -11,6 +11,7 @@ var (
ErrInvalidCredentials = errors.New("invalid username or password")
ErrUsersQuotaReached = errors.New("users quota reached")
ErrGettingUserQuota = errors.New("error getting user quota")
ErrSignupNotAllowed = errors.New("system administrator has disabled signup")
)
type TeamSyncFunc func(user *models.User, externalUser *models.ExternalUserInfo) error

2
pkg/services/login/loginservice/loginservice.go
View File

@ -56,7 +56,7 @@ func (ls *Implementation) UpsertUser(ctx context.Context, cmd *models.UpsertUser
}
if !cmd.SignupAllowed {
cmd.ReqContext.Logger.Warn("Not allowing login, user not found in internal user database and allow signup = false", "authmode", extUser.AuthModule)
return login.ErrInvalidCredentials
return login.ErrSignupNotAllowed
}
limitReached, err := ls.QuotaService.QuotaReached(cmd.ReqContext, "user")