Skip to content

Add granular RBAC SSO support#7733

Merged
hardillb merged 19 commits into
mainfrom
sso-granular-rbac
Jul 17, 2026
Merged

Add granular RBAC SSO support#7733
hardillb merged 19 commits into
mainfrom
sso-granular-rbac

Conversation

@hardillb

@hardillb hardillb commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

fixes #7396

Description

Includes both SMAL and LDAP

Also includes a fix for the direct SSO login buttons on login page

Related Issue(s)

#7396

Checklist

  • I have read the contribution guidelines
  • Suitable unit/system level tests have been added and they pass
  • Documentation has been updated
    • Upgrade instructions
    • Configuration details
    • Concepts
  • Changes flowforge.yml?
    • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
    • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
  • Link to Changelog Entry PR, or note why one is not needed.

Labels

  • Includes a DB migration? -> add the area:migration label

fixes #7396

Includes both SMAL and LDAP

Also includes a fix for the direct SSO login buttons on login page
@hardillb
hardillb requested a review from knolleary July 6, 2026 12:06
@hardillb hardillb self-assigned this Jul 6, 2026
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 80.28169% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.61%. Comparing base (9209878) to head (e505719).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
forge/ee/lib/sso/index.js 79.10% 14 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #7733      +/-   ##
==========================================
+ Coverage   75.58%   75.61%   +0.03%     
==========================================
  Files         432      432              
  Lines       22978    23035      +57     
  Branches     6091     6107      +16     
==========================================
+ Hits        17367    17417      +50     
- Misses       5611     5618       +7     
Flag Coverage Δ
backend 75.61% <80.28%> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@knolleary knolleary left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done a first pass and spotted a couple things.

It would be helpful to have some more inline comments (similar to the existing code) to help make the logic more explicit.

I need to spend some more time testing it to verify the behaviour.

Comment thread forge/db/models/Team.js
Comment thread forge/ee/lib/sso/index.js Outdated
@knolleary fixed things based on first pass comments
@knolleary

Copy link
Copy Markdown
Member

@hardillb I've pushed a small update

  • Put the work to do the granular rbac management inside a if so it only runs if there's something to be done.
  • Added a couple debug log statements about existing/desired g-rbac permissions

I think it's good to go. Can you give that last commit a once over before merging?

@hardillb

Copy link
Copy Markdown
Contributor Author

It failing one of the SSO SAML tests, will have a look at it in the morning

@hardillb

Copy link
Copy Markdown
Contributor Author

@knolleary The new if block causes a test failure.

Adding the if block means the test that removes an application override when the group is removed from the user doesn't fire if there are no other application overrides.

The new if block needs removing

Comment thread forge/ee/lib/sso/index.js Outdated
@knolleary
knolleary self-requested a review July 14, 2026 21:17
@hardillb

Copy link
Copy Markdown
Contributor Author

If a user has any Application Group assignments in a Team then they can only be Group managed, but other users are free to be manually configured. You can't mix the 2

Revert if statement
@knolleary

Copy link
Copy Markdown
Member

I'm seeing some incorrect behaviour in my local testing.

  1. SAML config is set to only apply to TeamA, with the 'allow to be a member of other teams' option checked
  2. I add user to TeamB via an invite. Then apply an application override for something in TeamB
  3. User logs in. Their membership and overrides of TeamA are correct. Their override in TeamB has been deleted. TeamB should not have been touched.

@hardillb

Copy link
Copy Markdown
Contributor Author

I can see how that would happen, will work out how to fix

@hardillb

Copy link
Copy Markdown
Contributor Author

@knolleary fix pushed

@hardillb

Copy link
Copy Markdown
Contributor Author

We will need to regenerate the types if this merges after #7825

@hardillb
hardillb enabled auto-merge (squash) July 17, 2026 13:18
@hardillb
hardillb merged commit 2eeedc9 into main Jul 17, 2026
32 checks passed
@hardillb
hardillb deleted the sso-granular-rbac branch July 17, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SSO: enable SAML group management of granular RBAC

2 participants