diff --git a/README.md b/README.md index 50efd44c240323c628b829542d85c82e19c0c3c6..518d26e724f8f4c9f508d8d1f11d9c57b5e70c6f 100644 --- a/README.md +++ b/README.md @@ -73,10 +73,12 @@ If you have `nginx` serving pages to users, you might need to configure `x-frame #### Groups and Permissions -To receive groups over SSO you need a group mapping (and of course a properly configured IdP). You can manage group mapping with `group_mapping` management command. Example: +To receive groups over SSO you need a group mapping (and of course a properly configured IdP). You can manage group mapping with `group_mapping` management command: group_mapping add myproject_superusers "CN=MyProjectSuperusers,OU=Foo,OU=Bar,DC=fh-h,DC=de" +To generate a working mapping for `hshinfo` groups, use `ssoauth_group_mapping` management command in `syncds` (you can find one on the `sync` server). + *Groups are not mapped automatically. The reason is that automatic mapping can pose security risks. Imagine auto-mapping that expects group with name "Superusers"; an intruder could create new group with this name under any path they own and/or create an alias/reference and receive superuser permissions in your project.*