I understand that it is possible to delegate authentication to an external source (such as Okta), and I mostly have that working with Apache + mod_auth_openidc and Okta as a provider, but is there a way to tie users and their groups together? New users are being created successfully with the relevant claim information (username, email, etc), and I can see groups in the claim being returned, but can not for the life of me find a way to tie those groups with an external user group without using LDAP separately (which we’re trying to get away from if possible).
Thank you in advance!
I think I’ve got this working now, but am not sure if it’s a typo in the docs though, or maybe I just confused it with a different section…
https://theforeman.org/manuals/3.4/index.html#5.7.5Populateusersandattributes
REMOTE_USER_GROUP
but the SSO config for Foreman is expecting REMOTE_USER_GROUPS from the claim
After updating Apache config, all is right in the world, and we have properly assigned users automatically created tied to External groups
<Location /users/extlogin>
Require valid-user
AuthType openid-connect
LogLevel debug
RequestHeader set REMOTE_USER %{OIDC-preferred_username}e
RequestHeader set REMOTE_USER_EMAIL %{OIDC-email}e
RequestHeader set REMOTE_USER_FIRSTNAME %{OIDC-given_name}e
RequestHeader set REMOTE_USER_LASTNAME %{OIDC-family_name}e
RequestHeader set REMOTE_USER_GROUPS %{OIDC-groups}e
</Location>
1 Like
