apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

SAML: Allow disabling of SAML signups (#47481)

Browse Source 
* Add new error message for signup not allowed errors

* Add documentation on new SAML signup option

* Accept documentation feedback

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* Accept documentation feedback

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>

* run prettier:write

Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
pull/45954/merge
Michael Mandrus 4 years ago committed by GitHub
parent 99bb6ebd2b
commit 4318ffdd46
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 5
      docs/sources/enterprise/saml.md
  2. 1
      pkg/services/login/login.go
  3. 2
      pkg/services/login/loginservice/loginservice.go

5
docs/sources/enterprise/saml.md
Unescape View File

@ -46,6 +46,7 @@ The table below describes all SAML configuration options. Continue reading below
| ---------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| `enabled` | No | Whether SAML authentication is allowed | `false` |
| `single_logout` | No | Whether SAML Single Logout enabled | `false` |
| `allow_sign_up` | No | Whether to allow new Grafana user creation through SAML login. If set to `false`, then only existing Grafana users can log in with SAML. | `true` |
| `allow_idp_initiated` | No | Whether SAML IdP-initiated login is allowed | `false` |
| `certificate` or `certificate_path` | Yes | Base64-encoded string or Path for the SP X.509 certificate | |
| `private_key` or `private_key_path` | Yes | Base64-encoded string or Path for the SP private key | |
@ -142,6 +143,10 @@ For Grafana to map the user information, it looks at the individual attributes w
Grafana provides configuration options that let you modify which keys to look at for these values. The data we need to create the user in Grafana is Name, Login handle, and email.
### Allow new user signups
By default, new Grafana users using SAML authentication will have an account created for them automatically. To decouple authentication and account creation and ensure only users with existing accounts can log in with SAML, set the `allow_sign_up` option to false.
### Configure team sync
> Team sync support for SAML only available in Grafana v7.0+

1
pkg/services/login/login.go
Unescape View File

@ -11,6 +11,7 @@ var (
ErrInvalidCredentials = errors.New("invalid username or password")
ErrUsersQuotaReached = errors.New("users quota reached")
ErrGettingUserQuota = errors.New("error getting user quota")
ErrSignupNotAllowed = errors.New("system administrator has disabled signup")
)
type TeamSyncFunc func(user *models.User, externalUser *models.ExternalUserInfo) error

2
pkg/services/login/loginservice/loginservice.go
Unescape View File

@ -56,7 +56,7 @@ func (ls *Implementation) UpsertUser(ctx context.Context, cmd *models.UpsertUser
}
if !cmd.SignupAllowed {
cmd.ReqContext.Logger.Warn("Not allowing login, user not found in internal user database and allow signup = false", "authmode", extUser.AuthModule)
return login.ErrInvalidCredentials
return login.ErrSignupNotAllowed
}
limitReached, err := ls.QuotaService.QuotaReached(cmd.ReqContext, "user")

Write Preview
Loading…
Cancel
Save