Foreman External User Groups Using SSO via OKTA OpenID Connect and mod_auth_openidc

I understand that it is possible to delegate authentication to an external source (such as Okta), and I mostly have that working with Apache + mod_auth_openidc and Okta as a provider, but is there a way to tie users and their groups together? New users are being created successfully with the relevant claim information (username, email, etc), and I can see groups in the claim being returned, but can not for the life of me find a way to tie those groups with an external user group without using LDAP separately (which we’re trying to get away from if possible).

Thank you in advance!

I think I’ve got this working now, but am not sure if it’s a typo in the docs though, or maybe I just confused it with a different section…
https://theforeman.org/manuals/3.4/index.html#5.7.5Populateusersandattributes

REMOTE_USER_GROUP

but the SSO config for Foreman is expecting REMOTE_USER_GROUPS from the claim

After updating Apache config, all is right in the world, and we have properly assigned users automatically created tied to External groups

<Location /users/extlogin>
  Require valid-user
  AuthType openid-connect
  LogLevel debug

  RequestHeader set REMOTE_USER %{OIDC-preferred_username}e
  RequestHeader set REMOTE_USER_EMAIL %{OIDC-email}e
  RequestHeader set REMOTE_USER_FIRSTNAME %{OIDC-given_name}e
  RequestHeader set REMOTE_USER_LASTNAME %{OIDC-family_name}e
  RequestHeader set REMOTE_USER_GROUPS %{OIDC-groups}e
</Location>
1 Like