This section provides an example attribute mapping script for Carbon Black EDR only; this section does not apply to VMware Carbon Black Hosted EDR.

The attribute mapping is contained in a user-defined Python script.

def callback(saml_response, db_session, logger, sso_config):
    """
        Takes a SAML Response object and returns a dictionary
        of fields.   This is a default implementation, it is
        expected to be overridden by a user in the SSO config.

         This instance will return empty values for all fields so
        behavior maintains backwards compatibility with
        existing SSO configurations.
    """
       logger.debug("Default SAML attribute map, user   authorized, not parsing attributes in SAML Response.")
       result = {}
       result["authorized"] = True
       result["username"] = None
       result["first_name"] = None
       result["last_name"] = None
       result["email"] = None
       result["builtin_roles"] = None
       result["teams"] = None

       return result
The default callback returns authorized = True and None for all attributes. This keeps behavior consistent with the current SSO implementation. An example script for a fully featured install is included in /etc/cb/sso/ together with the example config file:
def callback(saml_response, db_session, logger, sso_config):
  result = {}
  attrs = saml_response.attrs

  result["authorized"] = True if "cbserver" in attrs
  ["groups"] else False

  result["username"] = attrs["uid"][0] if "uid" in attrs 
  else None
  result["first_name"] = attrs["givenName"][0] if 
  "givenName" in attrs else None
  result["last_name"] = attrs["sn"][0] if "sn" in 
  attrs else None
  result["email"] = attrs["mail"][0] if "mail" in 
  attrs else None

    if "cbserver-owners" in attrs["groups"]:
        result["builtin_roles"] = ["global_admin",]
        result["teams"] = None
    else:
        result["builtin_roles"] = []
        result["teams"] = None

    return result
In the example above, the IdP returns the following fields:
  • username – The user’s login ID.

  • givenName – The user's first name.

  • sn – The user's last name (surname).

  • mail – The user’s email address.

  • groups – A list of relevant group memberships.

The example uses the resource parameter to determine group membership.

Two group names are defined by this IdP:

  • cbserver

  • cbserver-owners

A user must be a member of cbserver to have access to the Carbon Black EDR server. Any user part of cbserver-owners is granted global admin and is included in the administrators group.

The following is example debug output of a user being authenticated, authorized, created, added to global admins and the administrators team.

15:08:06.799 api_routes_saml.py(214): <DEBUG> Attributes returned in SAML response:
15:08:06.800 api_routes_saml.py(216): <DEBUG> mail: ['jguy@carbonblack.com']
15:08:06.801 api_routes_saml.py(216): <DEBUG> givenName: ['Bill']
15:08:06.801 api_routes_saml.py(216): <DEBUG> groups: ['cbserver-owners', 'cbserver']
15:08:06.801 api_routes_saml.py(216): <DEBUG> uid: ['bill']
15:08:06.801 api_routes_saml.py(216): <DEBUG> sn: ['Smith']
15:08:06.801 api_routes_saml.py(218): <DEBUG> Custom SAML attribute map returned:
15:08:06.802 api_routes_saml.py(220): <DEBUG> username: bill
15:08:06.802 api_routes_saml.py(220): <DEBUG> first_name: Bill
15:08:06.802 api_routes_saml.py(220): <DEBUG> last_name: Smith
15:08:06.802 api_routes_saml.py(220): <DEBUG> builtin_roles: ['global_admin']
15:08:06.802 api_routes_saml.py(220): <DEBUG> teams: ['Administrators']
15:08:06.803 api_routes_saml.py(220): <DEBUG> authorized: True
15:08:06.803 api_routes_saml.py(220): <DEBUG> email: jguy@carbonblack.com
15:08:06.806 api_routes_saml.py(242): <WARNING> bill authenticated and authorized, but not found in user database.  Creating user.
15:08:06.812 api_routes_saml.py(261): <DEBUG> Updating bill to Global Admin role.
15:08:06.814 api_routes_saml.py(269): <DEBUG> Updating team membership for bill to [{'id': 1,