forked from CartoDB/cartodb
-
Notifications
You must be signed in to change notification settings - Fork 23
SAML integration
Vishal Jadhav edited this page Oct 21, 2015
·
8 revisions
This is helpful for the on-site premises instance but can be extended to any other instance (e.g.: services running in different private clouds.), the users can be redirected from other partner website to cartodb IDE.
- User is currently logged into a company system (who is already authenticated)
- The existing system launches a browser and posts a SAML response to cartodb instance
- This new POST request is handled by the new route.
- Create an organization with it's owner user
- Login as org admin user, go to the existing 'create new user' via 'You organization'.
- Org owner tries to create a new user with all the existing fields, with 1 more field called 'external user id' as it will be POSTed by the SAML response in the above mentioned Saml authetication usecase.
###Implementation details
- refer to the migration to see it schema modifications https://github.com/bloomberg/cartodb/blob/ab4342175fb7d2f6740da90411275ca6231a5d43/db/migrate/20151014154530_create_saml_identity_providers.rb
- Organization - will have a new field 'saml_idp_name', it will be the foreign key.
- SamlIdentityProvider - will have the information about the Saml Indentity Service provider.
- SamlUser model will list the 'saml_name_id' and it's corresponding 'cartodb_username'. The postgres table will have all the allowed user listed there, it will be a map from the external ids to the existing cartodb usernames.
- All these users will be organization users.
A new route will be added for saml login, the Saml Identity Provider Name, which is the key in the models above will be derived from the path here.
e.g. u/:user_domain)/:saml_idp/acs
A new controller will handle the saml response along with a new warden strategy for SAML, if user is a valid user then it will impersonate it's corresponding native cartodb user