From 9b061012ad1baca4a0efb46e728c2654f471eeda Mon Sep 17 00:00:00 2001 From: Khabarov Konstantin Olegovich Date: Thu, 6 Feb 2025 16:26:24 +0300 Subject: [PATCH 1/5] added sso groups mapping --- configurations.md | 3 +++ sso.md | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/configurations.md b/configurations.md index dccee17..be93dfb 100644 --- a/configurations.md +++ b/configurations.md @@ -90,6 +90,9 @@ PostgreSQL is configured only if the required environment variables are set; oth - **`MOBSF_IDP_IS_ADFS`**: Set ADFS as IdP when set to `1`. - **`MOBSF_SP_HOST`**: Hostname for SAML Service Provider (SP). - **`MOBSF_SP_ALLOW_PASSWORD`**: Enables password-based login for SAML SP when set to `1`. +- **`MOBSF_IDP_MAINTAINER_GROUP`**: Enables SSO group mapping for MOBSF Maintainer group when set to `group_name_1,group_name2,..`, default to `Maintainer` +- **`MOBSF_IDP_VIEWER_GROUP`**: Enables SSO group mapping for MOBSF Viwer group when set to `group_name_1,group_name2,..`, default to `Viewer` +- **`MOBSF_IDP_DEFAULT_GROUP`**: Enables SSO authenticated users without any groups in SAML assertion to be logged in with default role when set to `Maintainer` or `Viewer`. ## Custom binaries for Android SAST - **`MOBSF_BUNDLE_TOOL`**: Path to the BundleTool binary. diff --git a/sso.md b/sso.md index 1307efd..286dd65 100644 --- a/sso.md +++ b/sso.md @@ -57,7 +57,9 @@ To enable Okta SSO in MobSF, you need the Metadata URL from Okta. 8. In the next **Feedback** screen, tick the `This is an internal app that we have created` option and click **Finish** to create the MobSF Okta integration. -9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and any other group name will be assigned to the Read-Only `Viewer` role. You can add corresponding users to each group. +9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. +Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles +If you want to authorize SSO logged-in users without any SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer` 10. Go to the **Assignment** tab of the MobSF app and assign the groups corresponding to `Maintainer` and `Viewer` roles. From ce2b059e68f393d3b259e19d41ec371b9b582137 Mon Sep 17 00:00:00 2001 From: Khabarov Konstantin Olegovich Date: Thu, 6 Feb 2025 16:46:53 +0300 Subject: [PATCH 2/5] cleaned up the typo --- sso.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sso.md b/sso.md index 286dd65..9486e16 100644 --- a/sso.md +++ b/sso.md @@ -58,8 +58,8 @@ To enable Okta SSO in MobSF, you need the Metadata URL from Okta. 8. In the next **Feedback** screen, tick the `This is an internal app that we have created` option and click **Finish** to create the MobSF Okta integration. 9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. -Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles -If you want to authorize SSO logged-in users without any SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer` + +Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles. If you want to authorize SSO logged-in users without any SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer` 10. Go to the **Assignment** tab of the MobSF app and assign the groups corresponding to `Maintainer` and `Viewer` roles. From 746d8ac33f2eaabfec813e552d11fe6742c8b71a Mon Sep 17 00:00:00 2001 From: Khabarov Konstantin Olegovich Date: Thu, 6 Feb 2025 16:47:58 +0300 Subject: [PATCH 3/5] cleaned up the typo --- sso.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/sso.md b/sso.md index 9486e16..9e01a59 100644 --- a/sso.md +++ b/sso.md @@ -57,9 +57,7 @@ To enable Okta SSO in MobSF, you need the Metadata URL from Okta. 8. In the next **Feedback** screen, tick the `This is an internal app that we have created` option and click **Finish** to create the MobSF Okta integration. -9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. - -Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles. If you want to authorize SSO logged-in users without any SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer` +9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles. If you want to authorize SSO logged-in users without any SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer` 10. Go to the **Assignment** tab of the MobSF app and assign the groups corresponding to `Maintainer` and `Viewer` roles. From 583c57fb02b059232800161ef42962497b1aa00d Mon Sep 17 00:00:00 2001 From: Khabarov Konstantin Olegovich Date: Thu, 6 Feb 2025 16:50:12 +0300 Subject: [PATCH 4/5] some fixes --- configurations.md | 6 +++--- sso.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configurations.md b/configurations.md index be93dfb..82108a8 100644 --- a/configurations.md +++ b/configurations.md @@ -90,9 +90,9 @@ PostgreSQL is configured only if the required environment variables are set; oth - **`MOBSF_IDP_IS_ADFS`**: Set ADFS as IdP when set to `1`. - **`MOBSF_SP_HOST`**: Hostname for SAML Service Provider (SP). - **`MOBSF_SP_ALLOW_PASSWORD`**: Enables password-based login for SAML SP when set to `1`. -- **`MOBSF_IDP_MAINTAINER_GROUP`**: Enables SSO group mapping for MOBSF Maintainer group when set to `group_name_1,group_name2,..`, default to `Maintainer` -- **`MOBSF_IDP_VIEWER_GROUP`**: Enables SSO group mapping for MOBSF Viwer group when set to `group_name_1,group_name2,..`, default to `Viewer` -- **`MOBSF_IDP_DEFAULT_GROUP`**: Enables SSO authenticated users without any groups in SAML assertion to be logged in with default role when set to `Maintainer` or `Viewer`. +- **`MOBSF_IDP_MAINTAINER_GROUP`**: Enables SSO group mapping for MobSF Maintainer role when set to `group_name_1,group_name2,..`, default to `Maintainer` +- **`MOBSF_IDP_VIEWER_GROUP`**: Enables SSO group mapping for MobSF Viwer role when set to `group_name_1,group_name2,..`, default to `Viewer` +- **`MOBSF_IDP_DEFAULT_GROUP`**: Enables SSO authenticated users without any suitable groups in SAML assertion to be logged in with default role when set to `Maintainer` or `Viewer`. ## Custom binaries for Android SAST - **`MOBSF_BUNDLE_TOOL`**: Path to the BundleTool binary. diff --git a/sso.md b/sso.md index 9e01a59..8a81b83 100644 --- a/sso.md +++ b/sso.md @@ -57,7 +57,7 @@ To enable Okta SSO in MobSF, you need the Metadata URL from Okta. 8. In the next **Feedback** screen, tick the `This is an internal app that we have created` option and click **Finish** to create the MobSF Okta integration. -9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles. If you want to authorize SSO logged-in users without any SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer` +9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles. If you want to authorize SSO logged-in users without any suitable SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer` 10. Go to the **Assignment** tab of the MobSF app and assign the groups corresponding to `Maintainer` and `Viewer` roles. From 7edcad337ee8a1fb511cdc3229749148a179b13c Mon Sep 17 00:00:00 2001 From: Khabarov Konstantin Olegovich Date: Thu, 6 Feb 2025 16:51:42 +0300 Subject: [PATCH 5/5] some fixes --- sso.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sso.md b/sso.md index 8a81b83..f4f143b 100644 --- a/sso.md +++ b/sso.md @@ -57,7 +57,7 @@ To enable Okta SSO in MobSF, you need the Metadata URL from Okta. 8. In the next **Feedback** screen, tick the `This is an internal app that we have created` option and click **Finish** to create the MobSF Okta integration. -9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles. If you want to authorize SSO logged-in users without any suitable SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer` +9. You must create at least two Okta groups for the MobSF roles `Maintainer` and `Viewer`. The group name should contain the string `maintainer` in it to be associated with the `Maintainer` role, and `viewer` to be associated with the `Viewer` role. Yoy can use SSO groups mapping whith environment variables `MOBSF_IDP_MAINTAINER_GROUP` and `MOBSF_IDP_VIEWER_GROUP` to map your custom Okta groups to MobSF `Maintainer` and `Viewer` roles. If you want to authorize SSO logged-in users without any suitable SSO groups you can use environment variable `MOBSF_IDP_DEFAULT_GROUP=Viewer` or `MOBSF_IDP_DEFAULT_GROUP=Maintainer` to authorize as `Viewer` or `Maintainer`. 10. Go to the **Assignment** tab of the MobSF app and assign the groups corresponding to `Maintainer` and `Viewer` roles.