Assign server admin based on attributes from SSO provider #8790
Comments
shanehughes1990
changed the title
|
See #8687 for a previous filed issue about this (although the reporter closed that). Can you describe a bit more about what roles could be mapped to? The only reasonable thing I can think of is server admin. |
|
Ah, I see you clarified in an edit that this is about having those users be a server admin. I think this is quite reasonable and would just need some additional configuration and setting the right bits when |
clokep
added
z-feature
|
(edited the description a bit more for clarity and to correct spelling errors. I hope it still reflects the intent of the reporter) |
|
Yes that is what I am talking about, and reevaluating on each login would also be beneficial if user moves up the chain of command so to speak, we could just give them that permission. On next login they would have the updated perms. It could Atleast with keycloak be any role custom or not (in keycloak realm) mapped to the admin role in synapse |
|
Also if there was a way to map a user as a room admin would help with bot setup, you would not need to edit the permission of the bot after it joined a room it would just already have those permissions mapped, maybe that's not possible but mapping synapse admin is a good step in the right direction for a more full fledged oidc/saml setup |
|
Room admin isn't something a server (synapse that talks with the sso provider) can dictate in a federated system |
richvdh
changed the title
|
Ideally it would also be great if the SSO provided roles mapping could automatically invite/register user in a specific Community (in the future Space). It would make communities/spaces management much easier when all your users are already mapped into groups in the SSO/LDAP directory. |
clokep
added
T-Enhancement
Thanks to @linareyne for opening a dedicated issue about this subject, I had hijacked the conversation with my comment, sorry about that! If you liked my previous comment, go like the more formal #10791 issue 🙏. |
There is currently no way for a user to be synapse admin based on a "role" mapping from the OIDC server, which means manually changing roles in the postgres db after said person has logged in. It would be great if it supported "role" mapping right out of the box so when user logs in they are granted synapse admin, according to the configuration in the OIDC server (in my case keycloak).
Background: we were hoping to rollout to about 700 clients, between 8 different organizations we currently support. They will all have their own federated server. There are about 50-60 admins in total (not including the 2 admins from our company), that would all need admin access to their federated server so they can manage their internal rooms. Right now it looks like I would need to manually edit each user in postgres after they have logged in.
The text was updated successfully, but these errors were encountered: