Foreman External User Groups Using SSO via OKTA OpenID Connect and mod_auth_openidc

jplindquist · September 29, 2022, 5:38pm

I think I’ve got this working now, but am not sure if it’s a typo in the docs though, or maybe I just confused it with a different section…
https://theforeman.org/manuals/3.4/index.html#5.7.5Populateusersandattributes

REMOTE_USER_GROUP

but the SSO config for Foreman is expecting REMOTE_USER_GROUPS from the claim

github.com

theforeman/foreman/blob/3.4.0/app/services/sso/apache.rb#L30-L37

    
      
          def authenticated?
            return false unless (self.user = request.env[CAS_USERNAME])
            attrs = { :login => user }.merge(additional_attributes)
            if request.env.has_key?('HTTP_REMOTE_USER_GROUPS')
              attrs[:groups] = []
              groups = request.env['HTTP_REMOTE_USER_GROUPS'].split(':')
              groups.each { |group| attrs[:groups] << group }
            end

After updating Apache config, all is right in the world, and we have properly assigned users automatically created tied to External groups

<Location /users/extlogin>
  Require valid-user
  AuthType openid-connect
  LogLevel debug

  RequestHeader set REMOTE_USER %{OIDC-preferred_username}e
  RequestHeader set REMOTE_USER_EMAIL %{OIDC-email}e
  RequestHeader set REMOTE_USER_FIRSTNAME %{OIDC-given_name}e
  RequestHeader set REMOTE_USER_LASTNAME %{OIDC-family_name}e
  RequestHeader set REMOTE_USER_GROUPS %{OIDC-groups}e
</Location>