This section provides an example attribute mapping script for Carbon Black EDR only; this section does not apply to Carbon Black Hosted EDR.
The attribute mapping is contained in a user-defined Python script.
def callback(saml_response, db_session, logger, sso_config):
"""
Takes a SAML Response object and returns a dictionary
of fields. This is a default implementation, it is
expected to be overridden by a user in the SSO config.
This instance will return empty values for all fields so
behavior maintains backwards compatibility with
existing SSO configurations.
"""
logger.debug("Default SAML attribute map, user authorized, not parsing attributes in SAML Response.")
result = {}
result["authorized"] = True
result["username"] = None
result["first_name"] = None
result["last_name"] = None
result["email"] = None
result["builtin_roles"] = None
result["teams"] = None
return resultThe default callback returns authorized = True and None for all attributes. This keeps behavior consistent with the current SSO implementation. An example script for a fully featured install is included in
/etc/cb/sso/ together with the example config file:
def callback(saml_response, db_session, logger, sso_config):
result = {}
attrs = saml_response.attrs
result["authorized"] = True if "cbserver" in attrs
["groups"] else False
result["username"] = attrs["uid"][0] if "uid" in attrs
else None
result["first_name"] = attrs["givenName"][0] if
"givenName" in attrs else None
result["last_name"] = attrs["sn"][0] if "sn" in
attrs else None
result["email"] = attrs["mail"][0] if "mail" in
attrs else None
if "cbserver-owners" in attrs["groups"]:
result["builtin_roles"] = ["global_admin",]
result["teams"] = None
else:
result["builtin_roles"] = []
result["teams"] = None
return resultIn the preceding example, the IdP returns the following fields:
-
username – The user’s login ID.
-
givenName – The user's first name.
-
sn – The user's last name (surname).
-
mail – The user’s email address.
-
groups – A list of relevant group memberships.
The example uses the resource parameter to determine group membership.
Two group names are defined by this IdP:
-
cbserver
-
cbserver-owners
A user must be a member of cbserver to have access to the Carbon Black EDR server. Any user part of cbserver-owners is granted global admin and is included in the administrators group.
The following is example debug output of a user being authenticated, authorized, created, added to global admins and the administrators team.
15:08:06.799 api_routes_saml.py(214): <DEBUG> Attributes returned in SAML response: 15:08:06.800 api_routes_saml.py(216): <DEBUG> mail: ['[email protected]'] 15:08:06.801 api_routes_saml.py(216): <DEBUG> givenName: ['Bill'] 15:08:06.801 api_routes_saml.py(216): <DEBUG> groups: ['cbserver-owners', 'cbserver'] 15:08:06.801 api_routes_saml.py(216): <DEBUG> uid: ['bill'] 15:08:06.801 api_routes_saml.py(216): <DEBUG> sn: ['Smith'] 15:08:06.801 api_routes_saml.py(218): <DEBUG> Custom SAML attribute map returned: 15:08:06.802 api_routes_saml.py(220): <DEBUG> username: bill 15:08:06.802 api_routes_saml.py(220): <DEBUG> first_name: Bill 15:08:06.802 api_routes_saml.py(220): <DEBUG> last_name: Smith 15:08:06.802 api_routes_saml.py(220): <DEBUG> builtin_roles: ['global_admin'] 15:08:06.802 api_routes_saml.py(220): <DEBUG> teams: ['Administrators'] 15:08:06.803 api_routes_saml.py(220): <DEBUG> authorized: True 15:08:06.803 api_routes_saml.py(220): <DEBUG> email: [email protected] 15:08:06.806 api_routes_saml.py(242): <WARNING> bill authenticated and authorized, but not found in user database. Creating user. 15:08:06.812 api_routes_saml.py(261): <DEBUG> Updating bill to Global Admin role. 15:08:06.814 api_routes_saml.py(269): <DEBUG> Updating team membership for bill to [{'id': 1,
