[{"data":1,"prerenderedAt":142},["ShallowReactive",2],{"changelog-entry-\u002Fchangelog\u002F2024\u002F08\u002Fldap-sso-groups":3},{"id":4,"title":5,"body":6,"description":129,"extension":130,"meta":131,"navigation":137,"path":138,"seo":139,"stem":140,"__hash__":141},"changelog\u002Fchangelog\u002F2024\u002F08\u002Fldap-sso-groups.md","LDAP Single Sign On Updates",{"type":7,"value":8,"toc":120},"minimark",[9,13,18,26,33,51,56,62,65,89,96,105,109,112,117],[10,11,12],"p",{},"In the v2.8.0 release we have updated the LDAP SSO feature to allow group\nmembership to be managed by LDAP groups.",[14,15,17],"h2",{"id":16},"configuring","Configuring",[10,19,20,21,25],{},"Building on the SAML based SSO configuration there is now a ",[22,23,24],"code",{},"Manage roles using group assertions"," check box on the LDAP SSO configuration page. This allows a base LDAP DN for groups to be set. This will used to look up which groups a user is a member of when they login to the platform.",[10,27,28],{},[29,30],"img",{"alt":31,"src":32},"screen shot showing new LDAP group management settings","\u002Fchangelog-media\u002F2024\u002F08\u002Fimages\u002Fldap-group.png",[10,34,35,36,39,40,43,44,39,47,50],{},"Groups can be ",[22,37,38],{},"groupOfNames"," or ",[22,41,42],{},"groupOfUniqueNames"," and membership will be checked against ",[22,45,46],{},"memberOf",[22,48,49],{},"uniqueMemberOf"," fields respectively.",[52,53,55],"h3",{"id":54},"group-naming","Group Naming",[10,57,58,59],{},"Group names must follow the this pattern ",[22,60,61],{},"ff-\u003Cteam slug>-role",[10,63,64],{},"The valid roles for a user in a team are:",[66,67,68,74,79,84],"ul",{},[69,70,71],"li",{},[22,72,73],{},"owner",[69,75,76],{},[22,77,78],{},"member",[69,80,81],{},[22,82,83],{},"viewer",[69,85,86],{},[22,87,88],{},"dashboard",[10,90,91,95],{},[92,93,94],"em",{},"Note",": this uses the team slug property to identify the team. This has been chosen to simplify managing\nthe groups in the LDAP Provider - rather than using the team's id. However, a team's slug can be changed\nby a team owner. Doing so will break the link between the group and the team membership - so should only\nbe done with care.",[10,97,98,99,104],{},"More details can be found in the ",[100,101,103],"a",{"href":102},"\u002Fdocs\u002Fadmin\u002Fsso\u002Fldap\u002F","SSO LDAP documentation",".",[14,106,108],{"id":107},"managing-flowfuse-admins","Managing FlowFuse Admins",[10,110,111],{},"In the previous release we added support for managing FlowFuse Admin users by group membership to SAML SSO, this is now available to LDAP as well.",[10,113,114,116],{},[92,115,94],{},": It is advised to maintain a backup admin user that does not\nauthenticate via SSO so ensure access can be maintained if the SSO\nprovider is unavailable. Also the system will not remove the admin flag\nfrom a user if that would leave the platform with no admins even if they\nremoved from the group.",[10,118,119],{},"This feature is only available to FlowFuse self-hosted customers.",{"title":121,"searchDepth":122,"depth":122,"links":123},"",2,[124,128],{"id":16,"depth":122,"text":17,"children":125},[126],{"id":54,"depth":127,"text":55},3,{"id":107,"depth":122,"text":108},"Team membership controlled by LDAP groups","md",{"date":132,"authors":133,"tags":135},"2024-08-28 13:00:00.0",[134],"ben-hardill",[136],"sso",true,"\u002Fchangelog\u002F2024\u002F08\u002Fldap-sso-groups",{"title":5,"description":129},"changelog\u002F2024\u002F08\u002Fldap-sso-groups","HHnzFUmKeWjafW6dJomWNfg_Ebw0Ov9-YE1psGld5uo",1780132422874]