TrueCommand and SAML

[obsidiangroup]

I understand that SAML is still early in development. I am using authentik as identity provider. I have gotten everything setup, and when I select 'SAML Login', it directs me to the SSO for signin, and after signing in, TrueCommand, and asks me if I want to create a new user, but has no information. What attributes does TrueCommand expect? Also, is there something specific that should be set for Audience.

When I check the logs from authentik, authentik is sending the information back to TrueCommand to create a user, but TrueCommand isn't interrupting it:

I can provide logs if needed.

Also, seeing where TrueNAS got its roots, and the open-source movement, are there plans for supporting open source IDPs? The documentation currently only supports ActiveDirectory or Google. Ensuring that your SAML implementation works with other standards-based IDPs would be nice. I am in no way advocating for authentik over Keycloak over Authelia, but rather, ensuring that the documentation and the software works with other SSO solutions.

 

[ZWelch]

Thanks for your feedback and patience with SAML. In theory we work with any IDP with the right settings. Seeing that you got as far as user creation, you most likely need to configure are the attributes. Here's an in-depth matching:

Username -> "unique_name"
Full Name -> given_name OR display_name
Email -> mail OR email
Role -> title
Phone Number -> telephone_number

Hopefully that helps. With enough demand and/or a Jira ticket, we can look into other IDPs and configuration options for 2.3. Currently there are no changes planned here. We don't have any plans for further documents either, but the one for Google hopefully abstracts to other providers, including authentik, although those two are the only ones we test against.

 

[obsidiangroup]

Sorry, I have had health issues and have been out. I will try specific SAML Property Mappings.

 

[obsidiangroup]

Thanks for your feedback and patience with SAML. In theory we work with any IDP with the right settings. Seeing that you got as far as user creation, you most likely need to configure are the attributes. Here's an in-depth matching:

Username -> "unique_name"
Full Name -> given_name OR display_name
Email -> mail OR email
Role -> title
Phone Number -> telephone_number

Hopefully that helps. With enough demand and/or a Jira ticket, we can look into other IDPs and configuration options for 2.3. Currently there are no changes planned here. We don't have any plans for further documents either, but the one for Google hopefully abstracts to other providers, including authentik, although those two are the only ones we test against.

Are there specific URN OIDs, or will just mapping 'mail', etc work?

 

[obsidiangroup]

Are there specific URN OIDs, or will just mapping 'mail', etc work?

Well, setting the SAML mappings worked. I'd highly hope you would consider supporting configurations and testing against at least one Open Source provider, not necessarily authentik. I will submit a PR to the goauthentik.io website with an integration for TrueCommand so others can benefit.

I do have a question though. Are there any SAML attributes / group memberships that can be set for a user so when they connect the first time, if they are a member of a group, they will automatically have administrator access, and a way to automatically assign access to a system?

 

[ZWelch]

No OIDs. We strongly considering adding authentik support in the next release. There is no group or additional attribute support for SAML yet, as there is for LDAP groups, but we're looking at unifying the group structure for all of these, where SAML support will be available as well. Groups, perms, and system mapping in that order of likelihood.

 

[obsidiangroup]

No OIDs. We strongly considering adding authentik support in the next release. There is no group or additional attribute support for SAML yet, as there is for LDAP groups, but we're looking at unifying the group structure for all of these, where SAML support will be available as well. Groups, perms, and system mapping in that order of likelihood.

I wrote an integration document for TrueCommand with Authentik Integration.