comments

fopina · fopina · commit 750e34c4fef1 · 2025-10-05T22:21:29.000+01:00
diff --git a/dojo/backends.py b/dojo/backends.py
@@ -17,8 +17,10 @@ class Saml2Backend(_Saml2Backend):
 
     @cached_property
     def group_re(self):
-        if settings.SAML2_ENABLED and settings.SAML2_GROUPS_ATTRIBUTE and settings.SAML2_GROUPS_FILTER:
-            return re.compile(settings.SAML2_GROUPS_FILTER)
+        if settings.SAML2_ENABLED and settings.SAML2_GROUPS_ATTRIBUTE:
+            if settings.SAML2_GROUPS_FILTER:
+                return re.compile(settings.SAML2_GROUPS_FILTER)
+            return re.compile(r".*")
         return None
 
     def _update_user(
@@ -33,13 +35,16 @@ def _update_user(
         Ideally we would only override "public" methods: in this case, get_or_create_user() would be the one but it doesn't save the NEW user
         We could override that AND save_user() (each to handle new or existing users) but the latter does not receive the attributes which include the groups...
 
-        This does NOT create the groups if they do not exist. They have to be created in the UI
-        This is not a big issue and it works around an existing bug with dojo/group/utils.py::group_post_save_handler (user does not yet exist and he is forcefully added to the new group - boom)
+        Similar to AzureAD, this creates the matching SAML groups if they do not already exist.
         """
         user = super()._update_user(user, attributes, attribute_mapping, force_save=force_save)
         if self.group_re is None:
             return user
 
+        self._process_user_groups(user, attributes)
+        return user
+
+    def _process_user_groups(self, user, attributes):
         # list of all existing "SAML2-mapped" groups - regexp excluded so the ones no longer matching regexp are removed
         all_saml_groups = {group.name: group for group in Dojo_Group.objects.filter(social_provider=Dojo_Group.SAML)}
 
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -196,11 +196,11 @@
         "Lastname": "last_name",
     }),
     DD_SAML2_ALLOW_UNKNOWN_ATTRIBUTE=(bool, False),
+    # SAML2 attribute with groups to match in Dojo. If value is not set, no group processing is done.
+    DD_SAML2_GROUPS_ATTRIBUTE=(str, ""),
     # similar to DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GROUPS_FILTER, regular expression for which SAML2 groups to map to Dojo groups (with same name)
-    # Groups need to already exist in Dojo. And if value is not set, no group processing is done
+    # Groups will be created if needed. If value is not set, any group will match.
     DD_SAML2_GROUPS_FILTER=(str, ""),
-    # SAML2 attribute with groups to match in Dojo. And if value is not set, no group processing is done
-    DD_SAML2_GROUPS_ATTRIBUTE=(str, ""),
     # Authentication via HTTP Proxy which put username to HTTP Header REMOTE_USER
     DD_AUTH_REMOTEUSER_ENABLED=(bool, False),
     # Names of headers which will be used for processing user data.
