The SAML attribute for user.email cannot be configured

Please fill in the questionnaire below.

Technical Help Questionnaire

Have you read and followed the instructions at: /read-me-first-technical-help-faqs/17/2 ?

Answer: Yes

Self-Hosted Installation and Setup Questions

Delete this section if you are using Baserow.io.

How have you self-hosted Baserow.

Docker-based, on a Ubuntu VM.

What are the specs of the service or server you are using to host Baserow.

Memory on the VM:

           total        used        free      shared  buff/cache   available

Mem: 15Gi 2.2Gi 8.7Gi 133Mi 4.7Gi 12Gi
Swap: 979Mi 0B 979Mi

Which version of Baserow are you using.

1.26.1

How have you configured your self-hosted installation?

#!/bin/sh
docker run
-d
–name baserow
-e BASEROW_PUBLIC_URL=“xxx”
-e BASEROW_CADDY_ADDRESSES=“xxx”
-e EMAIL_SMTP=true
-e EMAIL_SMTP_HOST=“xxx”
-e EMAIL_SMTP_PORT=“xxxx”
-e FROM_EMAIL=“noreply@eduxs.eu”
-v baserow_data:/baserow/data
-v “$PWD/Caddyfile:/baserow/caddy/Caddyfile”
-p 80:80
-p 443:443
–restart unless-stopped
baserow/baserow:1.26.1

What commands if any did you use to start your Baserow server?

See above.

Describe the problem

We are trying to implement SSO based on SAML. This is the SRAM SAML inplementation, provided by the SURF organisation.

After login at the provider, the process fails with the following traceback in the log:

[BACKEND][2024-10-30 14:42:26] File “/baserow/enterprise/backend/src/baserow_enterprise/sso/saml/handler.py”, line 152, in get_user_info_from_authn_user_identity
[BACKEND][2024-10-30 14:42:26] email = authn_identity[“user.email”][0]
[BACKEND][2024-10-30 14:42:26] └ {‘uid’: [‘xxxxx’], ‘eduPersonAssurance’: [’ … link removed …', 'xxx link removed…
[BACKEND][2024-10-30 14:42:26]
[BACKEND][2024-10-30 14:42:26] KeyError: ‘user.email’

It seems that Baserow relies on the fact that the attribute user.email is provided by the SAML provider. However, for SRAM, this is not the case. SRAM has a fixed set of attributes (see: Attributes in SRAM - SURF IAM - SURF User Knowledge Base).
The needed attribute is called mail in the SRAM set of attributes (according to rfc822).

So, this means that we need a way of configuring attributes on the side of Baserow to be able to use SRAM as a SAML provider.

Hi @jjmurre,

sorry for the late response. Unfortunately, there’s no way at the moment to change the mapping from Baserow, but I’ve created an issue to fix the problem here: Add ability to change mapping in SAML SSO (#3155) · Issues · Baserow / baserow · GitLab.

I’ll start working on it very soon and I’ll do my best to include it in the next release.

Hi @davide Tx, nice that you have put this on the issuelist for Baserow!

Hi @davide I just saw that this change has been merged, wonderful!

When will be the next Baserow release that will contain this change?

Hi @jjmurre,

The update has just been merged in time for the upcoming release. It will be deployed tomorrow on our SaaS platform.

If everything goes smoothly, we will also release the images for self-hosters immediately afterward. Therefore, you can expect to be able to use it by tomorrow.

Tx, that’s great news!

We are now on version 1.26.1. I assume the new version will be 1.29?
Can we directly switch to the new image, or should we upgrade to the versions between 1.26.1 and 1.29 step by step?

We have some documentation for docker here: Upgrade from a previous version

If you can stop Baserow, it’s typically safe to upgrade to the latest version directly and then restart Baserow. However, if you’re unable to stop the server for any reason—like in our case with our SaaS— you should upgrade one version at a time to ensure correct database migrations and application behavior.