SAML

FOSSA allows certain user permissions to be configured through attribute statements in the SAML assertion.

Attributes

The two supported attributes are:

• role
  • This sets the user's Organization Role.
  • The acceptable values are admin, editor, and viewer. This map to the three default organization roles.
  • The value is not case sensitive.
• teams
  • Providing this attribute will synchronize the user's team membership. The user will be added to all of the teams specified, creating those teams if they do not exist, and removed from any teams they are currently a member of if those teams are not specified.
  • The user's Team Role can also be specified for each team using the format <Team Name>::<Role Name>.
  • Any value will be accepted here.
  • This attribute can be specified multiple times to add the user to multiple teams.
  • Team names are case sensitive. Role names are not case sensitive.

Example

📘

You can pass a team name and team role

Your SAML provider can use conditional logic to give different access levels to different teams in the format TeamName::TeamRole

<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">
            Admin
        </saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="teams" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">
            Team A::Team Admin
        </saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">
            Team B
        </saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>