How To Remove Role Mapping on ADFS SSO
search cancel

How To Remove Role Mapping on ADFS SSO

book

Article ID: 290348

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

With ADFS SSO, when IDP doesn't define roles, how to modify attr_map.py?

Environment

  • Carbon Black EDR Server: All versions
  • ADFS: 2.0

Resolution

Use the following attr_map.py. Modify the if "key" with the matching key (case sensitive) that comes from the IdP. 

def callback(saml_response, db_session, logger, sso_config):
    """
        Takes a SAML Response object and returns a dictionary
        of fields.  Since attributes vary widely between IdPs,
        you must map your IdP's values to what CB needs.

        VMware Carbon Black EDR expects seven attributes:

            authorized - True or False
                         Is this user authorized access to this
                         VMware Carbon Black EDR server?

            username  -  The VMware Carbon Black EDR username to login / create.
            first_name - First name of the user
            last_name  - Last name of the user
            email      - Email address of the user
            builtin_roles - A list builtins this user should be a part of.
                            The only valid entry is currently global_admin
                            If this value is None, Cb makes no changes to the
                            user's current role settings.  If this value is
                            ["global_admin",] Cb will grant this user global
                            admin.   If this value is [], Cb will remove
                            global admin from this user.
            teams      -  A list of teams this user should be part of.
                          The contents of this list must match team names
                          defined in your VMware Carbon Black EDR server.  A value of
                          None makes no changes to current team membership.

        In this example, the IdP returns the following fields:

            CommonName   - user's logon id
            givenname    - user's first name (given name)
            surname      - user's last name (surname)
            email        - user's email address
            role         - a list of relevant group memberships

        The script below uses the 'role' parameter to determine group membership.
        There are two group names defined by this IdP:

            Domain Users
            Administrators

        A user must have a 'Domain Users' role in order to have access to this VMware Carbon Black EDR server.
        Any user with 'Administrators' IdP role is granted global admin and made part of the
        Analysts team.

        When testing your own script, turn on debug logging for coreservices to inspect
        the attributes returned from your IdP and the resulting map.
    """
    result = {}
    attrs = saml_response.attrs

    first_name=""
    last_name=""
    email=""
    role=""
    result["builtin_roles"] = None # Set to None to keep global admin permissions.
    result["teams"] = None # Set to None to keep users assigned teams.
    result["authorized"] = True # Set to force IdP user and not go to existing local user. 

    for key,value in attrs.items():
        if "CommonName" in key: # This needs to be updated to match what the IdP sends for a key (case sensitive). If the NameId from IDP is preferred, comment this section out.  Note: Alphanumeric username is required, special characters are not accepted. 
            result["username"]=value[0]
        if "givenName" in key:
            result["first_name"]=value[0]
        if "surname" in key:
            result["last_name"]=value[0]
        if "emailAddress" in key:
            result["email"]=value[0]


    return result

 

Additional Information

  • SSO Integration Guide
  • Not having a role sent requires the user to be listed as Authorized as there is nothing else to verify the user should or should not have access. If a user logs in, they will not have any access to view any data until a global admin assigns the user's team permissions.