-[SSO](https://lmddgtfy.net/?q=SSO): Single Sign On
- SLO: Single Log Out
...
...
@@ -80,15 +79,12 @@ If you have `nginx` serving pages to users, you might need to configure `x-frame
#### Groups and Permissions
Users receive groups using SSO. For this to work, you need:
- some groups in your django project (see `django.contrib.auth` groups)
- groups with exactly the same names provided by the IDP
- create a group in the IDM
- make sure IDM provides it to the IDP
- make sure IDP provides it to your SP
- you might want to predefine some groups in the project settings (see `ssoauth` default config for details)
- these groups will be created automatically (when migrating) and will receive the specified permissions
- e.g. you probably want a superuser group, see the example below
With `ssoauth` the only way to assign permissions is with groups:
- when user logs in, `ssoauth` receives group names from the IDP
- if your project has `django.contrib.admin``Groups` with exactly the same names, as received from the IDP, these groups are assigned to the user (`django.contrib.auth``User` is automatically created)
- all other groups and permissions are automatically removed from the user (so it's not possible to "patch" what IDP says with some extra rules in the project)
You can predefine some groups in project settings (see `ssoauth` default config for details). These predefined groups will be created automatically (when migrating). For example, a superuser group:
