Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCIM Group Filtering #6065

Open
sloanja opened this issue Jun 26, 2023 · 6 comments · May be fixed by #13550
Open

SCIM Group Filtering #6065

sloanja opened this issue Jun 26, 2023 · 6 comments · May be fixed by #13550
Labels
enhancement/confirmed Enhancements that will be implemented in the future enhancement New feature or request
Milestone
Future release

Comments

@sloanja
Copy link

sloanja commented Jun 26, 2023

Is your feature request related to a problem? Please describe.
I am using Authentik to provision users and groups into a Netskope lab environment with required property mappings. While I can control which users are provisioned, it also sends over ALL groups associated to those users which flood the Netskope tenant with unnecessary groups unrelated to Netskope and other SCIM targets.

Describe the solution you'd like
I would like to see a section for the SCIM provider configuration called Group Filtering placed below User Filtering and above Attribute mapping. This would allow an administrator to specify specific groups that would be provisioned. It could be similiar to AzureAD SCIM or Okta's group rules.

Describe alternatives you've considered
Limiting the groups imported into Authentik via the AD sync, but that would limit the instance of Authentik to only handling Netskope SCIM, decreasing the value for Authentik.

Additional context
None to remark.
@sloanja sloanja added the enhancement New feature or request label Jun 26, 2023
@BeryJu BeryJu added the enhancement/confirmed Enhancements that will be implemented in the future label Jun 27, 2023
@BeryJu BeryJu added this to the Future release milestone Jun 27, 2023
@marcportabellaclotet-mt
Copy link

marcportabellaclotet-mt commented Jun 2, 2024
edited
Loading

I would like authentik to be able to filter scim groups and users.
Meanwhile, I found an "ugly" workaround which works with AWS Identity Center:

  • Update the groups scim mapping like:
allowed_groups = ["Admins", "Admins2","www"]
if group.name in allowed_groups:
  return {
    "displayName": group.name,
  }
else:
  return {
    "displayName": " ",
}

Similar mapping works for users

@marcportabellaclotet-mt
Copy link

Is there a way to skip the group mapping?
I have tried to return None when the group does not meet the filtering criteria, but it fails with:

Stopping sync due to error: Error No mappings configured, caused by Group xxxx

@marcportabellaclotet-mt
Copy link

marcportabellaclotet-mt commented Jul 19, 2024
edited
Loading

Looking here, it seems that it just query for all groups.

I was thinking that it may be great to optionally pass some filtering options.

Could it be possible to create a new filters property and then run something like:

def get_object_qs(self, type: type[User | Group]) -> QuerySet[User | Group]:
    provider_filters = get_provider_filters()

    if type == User:
        # Get queryset of all users with consistent ordering
        
        base = User.objects.all().exclude_anonymous()
        if self.exclude_users_service_account:
            base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
                type=UserTypes.INTERNAL_SERVICE_ACCOUNT
            )
        if self.filter_group:
            base = base.filter(ak_groups__in=[self.filter_group])
        
        # Filter users based on groups they belong to that match provider filters
        group_filters = provider_filters.get(self.name.lower(), {})
        if group_filters:
            filtered_groups = Group.objects.filter(**group_filters)
            base = base.filter(ak_groups__in=filtered_groups)

        return base.order_by("pk")
    if type == Group:
        
        # Get the base queryset of all groups with consistent ordering
        qs = Group.objects.all().order_by("pk")

        # Apply the filter based on the provider's name
        filters = provider_filters.get(self.name.lower(), {})

        if filters:
            qs = qs.filter(**filters)
        return qs

    raise ValueError(f"Invalid type {type}")

I have tested the above solution hardcoding the filters in code, and works quite well.

I know that the change is not trivial, and involves a lot of changes, but this would be a nice to have feature.

@Ednn0nd1au
Copy link

+1 still need this function as api /providers/scim_groups/{id}/ does not work

@devil1234
Copy link

devil1234 commented Sep 21, 2024
edited
Loading

Current functionality: Is ignoring the group selection entirely but if this should be working will be multiple scim providers with different groups attached to main application. Same hack applies with custom provider mapping add each provider maping to application

@ryanfaircloth
Copy link

This is also problematic for me being able to pick the groups is common with scim implemetnations

@ImmanuelVonNeumann ImmanuelVonNeumann linked a pull request Mar 17, 2025 that will close this issue
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement/confirmed Enhancements that will be implemented in the future enhancement New feature or request
Projects
None yet
Milestone
Future release
6 participants
@devil1234 @BeryJu @sloanja @ryanfaircloth @Ednn0nd1au @marcportabellaclotet-mt