3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 03:46:29 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: add allowed_idp_claims docs (#1665)

Browse source
This commit is contained in:
Travis Groth 2020-12-09 12:16:13 -05:00 committed by GitHub
parent 58adeb5a99
commit 82c7d1ee7a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 74 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
docs/reference/readme.md
View file

@ -975,6 +975,41 @@ Allowed domains is a collection of whitelisted domains to authorize for a given
Allowed groups is a collection of whitelisted groups to authorize for a given route. Allowed groups is a collection of whitelisted groups to authorize for a given route.
### Allowed IdP Claims
- `yaml`/`json` setting: `allowed_idp_claims`
- Type: map of `strings` lists
- Required
Allowed IdP Claims is a collection of whitelisted claim key-value pairs to authorize for a given route.
This is useful if your identity provider has extra information about a user that is not in the directory. It can also be useful if you wish to use groups with the generic OIDC provider.
Example:
```yaml
- from: http://from.example.com
to: http://to.example.com
allowed_idp_claims:
family_name:
- Doe
- Smith
```
This policy would match users with the `family_name` claim containing `Smith` or `Doe`.
Claims are represented as a map of strings to a list of values:
```json
{
"family_name": ["Doe"],
"given_name": ["John"]
}
```
- Nested maps are flattened: `{ "a": { "b": ["c"] } }` becomes `{ "a.b": ["c"] }`
- Values are always a list: `{ "a": "b" }` becomes `{ "a": ["b"] }`
### Allowed Users ### Allowed Users
- `yaml`/`json` setting: `allowed_users` - `yaml`/`json` setting: `allowed_users`
- Type: list of `string` - Type: list of `string`

38
docs/reference/settings.yaml
View file

@ -1087,6 +1087,44 @@ settings:
- Example: `admins` , `support@company.com` - Example: `admins` , `support@company.com`
doc: | doc: |
Allowed groups is a collection of whitelisted groups to authorize for a given route. Allowed groups is a collection of whitelisted groups to authorize for a given route.
- name: "Allowed IdP Claims"
keys: ["allowed_idp_claims"]
attributes: |
- `yaml`/`json` setting: `allowed_idp_claims`
- Type: map of `strings` lists
- Required
shortdoc: |
Authorize users by matching claims attached to a user's identity token by their identity provider
doc: |
Allowed IdP Claims is a collection of whitelisted claim key-value pairs to authorize for a given route.
This is useful if your identity provider has extra information about a user that is not in the directory. It can also be useful if you wish to use groups with the generic OIDC provider.
Example:
```yaml
- from: http://from.example.com
to: http://to.example.com
allowed_idp_claims:
family_name:
- Doe
- Smith
```
This policy would match users with the `family_name` claim containing `Smith` or `Doe`.
Claims are represented as a map of strings to a list of values:
```json
{
"family_name": ["Doe"],
"given_name": ["John"]
}
```
- Nested maps are flattened: `{ "a": { "b": ["c"] } }` becomes `{ "a.b": ["c"] }`
- Values are always a list: `{ "a": "b" }` becomes `{ "a": ["b"] }`
- name: "Allowed Users" - name: "Allowed Users"
keys: ["allowed_users"] keys: ["allowed_users"]
attributes: | attributes: |