This section provides an example attribute mapping script for Carbon Black EDR only; this section does not apply to VMware Carbon Black Hosted EDR.

The attribute mapping is contained in a user-defined Python script.

def callback(saml_response, db_session, logger, sso_config):
        Takes a SAML Response object and returns a dictionary
        of fields.   This is a default implementation, it is
        expected to be overridden by a user in the SSO config.

         This instance will return empty values for all fields so
        behavior maintains backwards compatibility with
        existing SSO configurations.
       logger.debug("Default SAML attribute map, user   authorized, not parsing attributes in SAML Response.")
       result = {}
       result["authorized"] = True
       result["username"] = None
       result["first_name"] = None
       result["last_name"] = None
       result["email"] = None
       result["builtin_roles"] = None
       result["teams"] = None

       return result
The default callback returns authorized = True and None for all attributes. This keeps behavior consistent with the current SSO implementation. An example script for a fully featured install is included in /etc/cb/sso/ together with the example config file:
def callback(saml_response, db_session, logger, sso_config):
  result = {}
  attrs = saml_response.attrs

  result["authorized"] = True if "cbserver" in attrs
  ["groups"] else False

  result["username"] = attrs["uid"][0] if "uid" in attrs 
  else None
  result["first_name"] = attrs["givenName"][0] if 
  "givenName" in attrs else None
  result["last_name"] = attrs["sn"][0] if "sn" in 
  attrs else None
  result["email"] = attrs["mail"][0] if "mail" in 
  attrs else None

    if "cbserver-owners" in attrs["groups"]:
        result["builtin_roles"] = ["global_admin",]
        result["teams"] = None
        result["builtin_roles"] = []
        result["teams"] = None

    return result
In the example above, the IdP returns the following fields:
  • username – The user’s login ID.

  • givenName – The user's first name.

  • sn – The user's last name (surname).

  • mail – The user’s email address.

  • groups – A list of relevant group memberships.

The example uses the resource parameter to determine group membership.

Two group names are defined by this IdP:

  • cbserver

  • cbserver-owners

A user must be a member of cbserver to have access to the Carbon Black EDR server. Any user part of cbserver-owners is granted global admin and is included in the administrators group.

The following is example debug output of a user being authenticated, authorized, created, added to global admins and the administrators team.

15:08:06.799 <DEBUG> Attributes returned in SAML response:
15:08:06.800 <DEBUG> mail: ['']
15:08:06.801 <DEBUG> givenName: ['Bill']
15:08:06.801 <DEBUG> groups: ['cbserver-owners', 'cbserver']
15:08:06.801 <DEBUG> uid: ['bill']
15:08:06.801 <DEBUG> sn: ['Smith']
15:08:06.801 <DEBUG> Custom SAML attribute map returned:
15:08:06.802 <DEBUG> username: bill
15:08:06.802 <DEBUG> first_name: Bill
15:08:06.802 <DEBUG> last_name: Smith
15:08:06.802 <DEBUG> builtin_roles: ['global_admin']
15:08:06.802 <DEBUG> teams: ['Administrators']
15:08:06.803 <DEBUG> authorized: True
15:08:06.803 <DEBUG> email:
15:08:06.806 <WARNING> bill authenticated and authorized, but not found in user database.  Creating user.
15:08:06.812 <DEBUG> Updating bill to Global Admin role.
15:08:06.814 <DEBUG> Updating team membership for bill to [{'id': 1,