omniauth-saml icon indicating copy to clipboard operation
omniauth-saml copied to clipboard
verified publisher icon omniauth

Question: is there a SAML property for "nickname" or "preferred username"

Open ThisIsMissEm opened this issue 1 year ago • 2 comments

In Mastodon, we support OIDC, CAS, and SAML for SSO; Both CAS and OIDC support a nickname property on user_info, but we don't have anything for SAML for this property.

I've tried researching this but do not know the SAML ecosystem well enough to find what I'm looking for, my understanding is that in our configuration, we'd need to add something like:

saml_options[:attribute_statements][:nickname] = [ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']] if ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']

As to get the nickname property in the user_info hash. I just don't know what that value would be for the ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']

This is related to this issue on Mastodon: https://github.com/mastodon/mastodon/issues/21296

ThisIsMissEm avatar Jul 30 '24 19:07 ThisIsMissEm

Not sure if you've solved this yet but as far as SAML goes, you can pretty much map the claims attributes to any field that the identity provider (IDP) has. For instance, usually with SAML, the basic claims attributes are email, first name, and last name. But you could also request that the IDP give you a nickname value.

Request attributes (claims) could look like this:

request_attributes: [
  { name: 'email', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Email address', is_required: 'true' },
  { name: 'first_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'First name', is_required: 'true' }, 
  { name: 'last_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Last name', is_required: 'true' },
  { name: 'nickname', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Nickname', is_required: 'false' },
]

After the SAML assertion comes back to your app, you can access those fields like this:

nickname = @auth_hash.extra.raw_info['nickname']

leesmith avatar Sep 21 '24 01:09 leesmith

Okay, cool! Thanks for the help! I don't know SAML in the slightest (nor have a system wherein I can test this)

I'll keep this in mind for next time I work on that part of the Mastodon code.

ThisIsMissEm avatar Sep 21 '24 03:09 ThisIsMissEm