Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: is there a SAML property for "nickname" or "preferred username" #220

Open
ThisIsMissEm opened this issue Jul 30, 2024 · 2 comments
Open

Question: is there a SAML property for "nickname" or "preferred username" #220

ThisIsMissEm opened this issue Jul 30, 2024 · 2 comments

Comments

@ThisIsMissEm
Copy link

In Mastodon, we support OIDC, CAS, and SAML for SSO; Both CAS and OIDC support a nickname property on user_info, but we don't have anything for SAML for this property.

I've tried researching this but do not know the SAML ecosystem well enough to find what I'm looking for, my understanding is that in our configuration, we'd need to add something like:

saml_options[:attribute_statements][:nickname] = [ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']] if ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']

As to get the nickname property in the user_info hash. I just don't know what that value would be for the ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']

This is related to this issue on Mastodon: mastodon/mastodon#21296
@leesmith
Copy link

Not sure if you've solved this yet but as far as SAML goes, you can pretty much map the claims attributes to any field that the identity provider (IDP) has. For instance, usually with SAML, the basic claims attributes are email, first name, and last name. But you could also request that the IDP give you a nickname value.

Request attributes (claims) could look like this:

request_attributes: [
  { name: 'email', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Email address', is_required: 'true' },
  { name: 'first_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'First name', is_required: 'true' }, 
  { name: 'last_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Last name', is_required: 'true' },
  { name: 'nickname', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Nickname', is_required: 'false' },
]

After the SAML assertion comes back to your app, you can access those fields like this:

nickname = @auth_hash.extra.raw_info['nickname']

@ThisIsMissEm
Copy link
Author

Okay, cool! Thanks for the help! I don't know SAML in the slightest (nor have a system wherein I can test this)

I'll keep this in mind for next time I work on that part of the Mastodon code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ThisIsMissEm @leesmith