Auto-assign roles to SAML users
This guide shows you how to configure your Omni instance, so that new users logging in with SAML authentication are automatically assigned to a role based on their SAML role attributes.
Create the file assign-operator-to-engineers-label.yaml
for the SAMLLabelRule
resource, with the following content:
metadata:
namespace: default
type: SAMLLabelRules.omni.sidero.dev
id: assign-operator-to-engineers-label
spec:
assignroleonregistration: Operator
matchlabels:
- saml.omni.sidero.dev/role/engineers
As an admin, create it on your Omni instance using omnictl
:
omnictl apply -f assign-operator-to-engineers-label.yaml
This will create a resource that assigns the Operator
role to any user that logs in with SAML
and has the SAML attribute Role
with the value engineers
.
Log in to Omni as a new SAML user with the SAML attribute with name Role
and value engineers
.
This will cause the user created on the Omni side to be labeled as saml.omni.sidero.dev/role/engineers
.
This label will match the SAMLLabelRule
resource we created above,
and the user will automatically be assigned the Operator
role.
Note
When there are multiple matches from differentSAMLLabelRule
resources,
the matched role with the highest access level will be assigned to the user.
Warning
This role assignment will only work for the new users logging in with SAML.
The SAML users who have already logged in to Omni at least once
will not be matched by the SAMLLabelRule
resource and their roles will not be updated.
Warning
If the logged in SAML user is the very first user logging in to an Omni instance, it will not be matched by theSAMLLabelRule
resource
and always be assigned the Admin
role.