SSO: enable SAML group management of granular RBAC

[knolleary]

FlowFuse currently supports managing user roles at the team level via SSO groups.

We have since enabled granular RBAC within the platform, where a user can be assigned a different role per application in the team.

This feature request is to extend our SAML group support to enable management of the granular RBAC roles.

Current Support

If an SSO configuration has group management enabled then, when as user logs in via the configuration, it checks their groups that match the pattern: (with an optional prefix/suffix that I won't mention again).

• ff-<team>-<role>
  • The <team> matches the team slug
  • The <role> matches the user role for that team

Proposed Support

We need to extend this group support to express a role for an individual application.

• ff-<team>-<role> - sets the user role in the team
• ff-<team>[<application>]-<role>
  • <application> - either the application name, or application id
  • example: ff-development[building control]-members
    • Applies member role to the user in the building control application of team development.

Notes:

• Setting an application scoped role can only happen if a team role has been set
• Application names can contain [], so defensive parsing needed
• Application names can be changed (as can team slugs) - that will break the link
• Application IDs are immutable, but not known ahead of time, so harder to use in an automation - but we can support both
• As with team role, these are only applied at login. Changes made to the idp are only reflected if the user logs out and back in.