Assign group automatically for eduGAIN identities depending in IdP

Administrators
2

No, taking groups from login tokens is not something that’s supported in Indico - mainly because typically sessions are long-lived and group membership may change. Also, IIRC some places in the codebase assumes that group membership is available “on the fly” and not only in the context of a logged-in user.

FWIW, as long as the email or identifier of the user can be used to determine whether they can do something, you could somewhat easily use a plugin to populate a local group based on this. Here’s a snipped from a custom plugin I wrote some time ago that does exactly that:

from wtforms_sqlalchemy.fields import QuerySelectField

from indico.core import signals
from indico.core.plugins import IndicoPlugin
from indico.core.settings.converters import ModelConverter
from indico.modules.groups.models.groups import LocalGroup
from indico.web.forms.base import IndicoForm


class SettingsForm(IndicoForm):
    sso_group = QuerySelectField('XXX Users Group', allow_blank=True,
                                 query_factory=lambda: LocalGroup.query, get_label='name',
                                 description='The group to which anyone logging in with a XXX account is added.')


class XXXPlugin(IndicoPlugin):
    """XXX

    Provides utilities for XXX Indico
    """

    configurable = True
    settings_form = SettingsForm
    default_settings = {
        'sso_group': None,
    }
    settings_converters = {
        'sso_group': ModelConverter(LocalGroup),
    }

    def init(self):
        super().init()
        self.connect(signals.users.logged_in, self._user_logged_in)

    def _user_logged_in(self, user, identity, admin_impersonation, **kwargs):
        if admin_impersonation:
            return
        group = self.settings.get('sso_group')
        if not group:
            return
        if identity.provider == 'shib-sso' and identity.identifier.endswith('@XXX.ch'):
            group.members.add(user)

Passing the eduPersonScopedAffiliation to Indico and thus your plugin would probaly be tricky though. I think he easiest option would be creating your own multipass backend inheriting from the default saml/shibboleth one and including this in the multipass_data (which you could then access in your plugin via the multipass_data on the user’s Identity).

1 Like