Use the following attr_map.py. Modify the if "key" with the matching key (case sensitive) that comes from the IdP.
def callback(saml_response, db_session, logger, sso_config):
"""
Takes a SAML Response object and returns a dictionary
of fields. Since attributes vary widely between IdPs,
you must map your IdP's values to what CB needs.
VMware Carbon Black EDR expects seven attributes:
authorized - True or False
Is this user authorized access to this
VMware Carbon Black EDR server?
username - The VMware Carbon Black EDR username to login / create.
first_name - First name of the user
last_name - Last name of the user
email - Email address of the user
builtin_roles - A list builtins this user should be a part of.
The only valid entry is currently global_admin
If this value is None, Cb makes no changes to the
user's current role settings. If this value is
["global_admin",] Cb will grant this user global
admin. If this value is [], Cb will remove
global admin from this user.
teams - A list of teams this user should be part of.
The contents of this list must match team names
defined in your VMware Carbon Black EDR server. A value of
None makes no changes to current team membership.
In this example, the IdP returns the following fields:
CommonName - user's logon id
givenname - user's first name (given name)
surname - user's last name (surname)
email - user's email address
role - a list of relevant group memberships
The script below uses the 'role' parameter to determine group membership.
There are two group names defined by this IdP:
Domain Users
Administrators
A user must have a 'Domain Users' role in order to have access to this VMware Carbon Black EDR server.
Any user with 'Administrators' IdP role is granted global admin and made part of the
Analysts team.
When testing your own script, turn on debug logging for coreservices to inspect
the attributes returned from your IdP and the resulting map.
"""
result = {}
attrs = saml_response.attrs
first_name=""
last_name=""
email=""
role=""
result["builtin_roles"] = None # Set to None to keep global admin permissions.
result["teams"] = None # Set to None to keep users assigned teams.
result["authorized"] = True # Set to force IdP user and not go to existing local user.
for key,value in attrs.items():
if "CommonName" in key: # This needs to be updated to match what the IdP sends for a key (case sensitive). If the NameId from IDP is preferred, comment this section out. Note: Alphanumeric username is required, special characters are not accepted.
result["username"]=value[0]
if "givenName" in key:
result["first_name"]=value[0]
if "surname" in key:
result["last_name"]=value[0]
if "emailAddress" in key:
result["email"]=value[0]
return result