Hardcoded values in 'UserRolesAdminPanelController' breaking SAML plugin

[lukasged]

Version of Pentaho: 9.1.0.0
Platform: Linux (CentOS)

Hello,

In my team we're trying to configure the Pentaho SAML plugin to use SAML both for authentication and authorization. We've already been using the SAML authentication feature for a long time, in hybrid mode with authorization provided by LDAP. But now we're trying to configure the plugin to use SAML also for authorization.

In lack of documentation for this type of setup, we have been looking into the configuration file pentaho.saml.cfg - deployed in the context of the SAML plugin under pentaho-server/pentaho-solutions/system/karaf/etc/pentaho.saml.cfg. We assume that this should be the single point to configure SAML. Here are the fields that we configure:

• authorization.provider=saml - This is the field we would set to ldap in the past.
• saml.role.related.user.attribute.name=***

Using these, it seems that the plugin should be prepared to handle our use case. Following this approach, we can successfully login to the User Console with Administrator rights (we can see the Administration panel). But if we access the list of roles and privileges in the administration panel, the list of "Managed roles" is empty (as for the "System roles", we can see Authenticated and Anonymous), and we cannot add any role manually through that interface. Specifically, not even the "Administrator" default role is showing. We need a way to define a list of roles and assign them appropriate privileges.

This issue is already described in the pentaho-engineering-samples repository: pentaho/pentaho-engineering-samples#106 . The author of that issue suspects that the issue might be related to the hardcoded values in the UserRolesAdminPanelController.java file which seems to disable the roles list visibility if the used security provider is any other than super or jackrabbit :

pentaho-platform/user-console/src/main/java/org/pentaho/mantle/client/admin/UserRolesAdminPanelController.java

Line 474 in cc19879

usingPentahoSecurity = resText.contains( "\"jackrabbit\"" ) || resText.contains( "\"super\"" );

private void processLDAPOrJDBCmode() {
    final String url = GWT.getHostPageBaseURL() + "api/system/authentication-provider";
    RequestBuilder executableTypesRequestBuilder = new RequestBuilder( RequestBuilder.GET, url );
    executableTypesRequestBuilder.setHeader( "If-Modified-Since", "01 Jan 1970 00:00:00 GMT" );
    executableTypesRequestBuilder.setHeader( "accept", "application/json" );
    try {
      executableTypesRequestBuilder.sendRequest( null, new RequestCallback() {

        public void onError( Request request, Throwable exception ) {
        }

        public void onResponseReceived( Request request, Response response ) {
          String resText = response.getText();
          usingPentahoSecurity = resText.contains( "\"jackrabbit\"" ) || resText.contains( "\"super\"" );
          userRolePermissions( usingPentahoSecurity );
        }
      } );
    } catch ( RequestException e ) {
      userRolePermissions( false );
    }
  }

Could the issue be actually related to the mentioned hardcoded values? Are there any plans to fix this to support the SAML plugin's authorization capability?

Thank you in advance!