diff --git a/docs/installation/saml_sso.md b/docs/installation/saml_sso.md index 56a9a8e7..099b082e 100644 --- a/docs/installation/saml_sso.md +++ b/docs/installation/saml_sso.md @@ -87,4 +87,17 @@ In the scope configuration page, click on `Add mappers` and `From predefined map * `X500 givenName` * `X500 surname` -and click `Add`. Now Part-DB will be provided with the email, first name and last name of the user based on the Keycloak user database. \ No newline at end of file +and click `Add`. Now Part-DB will be provided with the email, first name and last name of the user based on the Keycloak user database. + +### Configure user permissions + + +### Use SAML Login for existing users +Part-DB distinguishes between local users and SAML users. Local users are users, which can login via Part-DB login form and which use the password (hash) saved in the Part-DB database. SAML users are stored in the database too (they are created on the first login of the user via SAML), but they use the SAML identity provider to authenticate the user and have no password stored in the database. When you try you will get an error message. + +For security reasons it is not possible to authenticate via SAML as a local user (and vice versa). So if you have existing users in your Part-DB database and want them to be able to login via SAML in the future, you can use the `php bin/console partdb:user:convert-to-saml-user username` command to convert them to SAML users. This will remove the password hash from the database and mark them as SAML users, so they can login via SAML in the future. + +The reverse is also possible: If you have existing SAML users and want them to be able to login via the Part-DB login form, you can use the `php bin/console partdb:user:convert-to-saml-user --to-local username` command to convert them to local users. You have to set an password for the user afterwards. + +{: .important } +> It is recommended that you let the original admin user (ID: 2) be a local user, so you can still login to Part-DB if the SAML identity provider is not available. \ No newline at end of file diff --git a/docs/usage/console_commands.md b/docs/usage/console_commands.md index ccc9a64d..f762f614 100644 --- a/docs/usage/console_commands.md +++ b/docs/usage/console_commands.md @@ -19,6 +19,7 @@ You can get help for every command with the parameter `--help`. See `php bin/con * `php bin/console partdb:users:permissions`: View/Change the permissions of the user with the given username * `php bin/console partdb:users:upgrade-permissions-schema`: Upgrade the permissions schema of users to the latest version (this is normally automatically done when the user visits a page) * `php bin/console partdb:logs:show`: Show the most recent entries of the Part-DB event log / recent activity +* `php bin/console partdb:user:convert-to-saml-user`: Convert a local user to a SAML/SSO user. This is needed, if you want to use SAML/SSO authentication for a user, which was created before you enabled SAML/SSO authentication. ## Currency commands * `php bin/console partdb:currencies:update-exchange-rates`: Update the exchange rates of all currencies from the internet)