From 5f05cd40743a827ebe809c4db5446dbfed3f17a8 Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Fri, 23 Aug 2024 16:55:19 +0100
Subject: [PATCH 1/5] Add group management to LDAP SSO

fixes #4002
---
 forge/ee/lib/sso/index.js                     | 129 ++++++++++++++++++
 .../admin/Settings/SSO/createEditProvider.vue |  88 +++++++++++-
 2 files changed, 210 insertions(+), 7 deletions(-)

diff --git a/forge/ee/lib/sso/index.js b/forge/ee/lib/sso/index.js
index 95f12ec8ac..bbfed10bf0 100644
--- a/forge/ee/lib/sso/index.js
+++ b/forge/ee/lib/sso/index.js
@@ -262,6 +262,10 @@ module.exports.init = async function (app) {
                 userClient = new Client(clientOptions)
                 try {
                     await userClient.bind(userDN, password)
+                    // if ldap group support enabled
+                    if (providerConfig.options.groupMapping) {
+                        await updateTeamMembershipLDAP(adminClient, user, userDN, providerConfig.options)
+                    }
                     return true
                 } catch (err) {
                     // Failed to bind user
@@ -424,6 +428,131 @@ module.exports.init = async function (app) {
         }
     }
 
+    // LDAP Group Membership
+    async function updateTeamMembershipLDAP (adminClient, user, userDN, providerOpts) {
+        const filter = `(|(uniqueMember=${userDN})(member=${userDN}))`
+        // const { searchEntries } = await adminClient.search(providerOpts.options.groupsDN, {
+        const { searchEntries } = await adminClient.search('ou=groups,dc=hardill,dc=me,dc=uk', {
+            filter,
+            attributes: ['cn']
+        })
+        const promises = []
+        let adminGroup = false
+        const desiredTeamMemberships = {}
+        const groupRegEx = /^ff-(.+)-([^-]+)$/
+        for (const i in searchEntries) {
+            
+            const match = groupRegEx.exec(searchEntries[i].cn)
+            if (match) {
+                app.log.debug(`Found group ${searchEntries[i].cn} for user ${user.username}`)
+                const teamSlug = match[1]
+                const teamRoleName = match[2]
+                const teamRole = Roles[teamRoleName]
+                // Check this role is a valid team role
+                if (TeamRoles.includes(teamRole)) {
+                    // Check if this team is allowed to be managed for this SSO provider
+                    //  - either `groupAllTeams` is true (allowing all teams to be managed this way)
+                    //  - or `groupTeams` (array) contains the teamSlug
+                    if (providerOpts.groupAllTeams || (providerOpts.groupTeams || []).includes(teamSlug)) {
+                        // In case we have multiple assertions for a single team,
+                        // ensure we keep the highest level of access
+                        desiredTeamMemberships[teamSlug] = Math.max(desiredTeamMemberships[teamSlug] || 0, teamRole)
+                    }
+                }
+            }
+            if (providerOpts.groupAdmin && providerOpts.groupAdminName === searchEntries[i].cn) {
+                adminGroup = true
+            }
+        }
+        if (providerOpts.groupAdmin) {
+            if (user.admin && !adminGroup) {
+                app.auditLog.User.user.updatedUser(0, null, [{ key: 'admin', old: true, new: false }], user)
+                user.admin = false
+                try {
+                    await user.save()
+                } catch (err) {
+                    // did we just fail remove the last admin?
+                    app.log.info(`Failed to remove admin from ${user.username}, as this would have been the last admin`)
+                }
+            } else if (adminGroup && !user.admin) {
+                app.auditLog.User.user.updatedUser(0, null, [{ key: 'admin', old: false, new: true }], user)
+                user.admin = true
+                await user.save()
+            }
+        }
+
+        // Get the existing memberships and generate a slug->membership object (existingMemberships)
+        const existingMemberships = {}
+        ;((await user.getTeamMemberships(true)) || []).forEach(membership => {
+            // Filter out any teams that are not to be managed by this configuration.
+            // A team is managed by this configuration if any of the follow is true:
+            //  - groupAllTeams is true (all teams to be managed)
+            //  - groupTeams includes this team (this is explicitly a team to be managed)
+            //  - groupOtherTeams is false (not allowed to be a member of other teams - so need to remove them)
+            if (
+                providerOpts.groupAllTeams ||
+                (providerOpts.groupTeams || []).includes(membership.Team.slug) ||
+                !providerOpts.groupOtherTeams
+            ) {
+                existingMemberships[membership.Team.slug] = membership
+            }
+        })
+        // We now have the list of desiredTeamMemberships and existingMemberships
+        // that are in scope of being modified
+
+        // - Check each existing membership
+        //   - if in desired list, update role to match and delete from desired list
+        //   - if not in desired list,
+        //      - if groupOtherTeams is false or, delete membership
+        //      - else leave alone
+        for (const [teamSlug, membership] of Object.entries(existingMemberships)) {
+            if (Object.hasOwn(desiredTeamMemberships, teamSlug)) {
+                // This team is in the desired list
+                if (desiredTeamMemberships[teamSlug] !== membership.role) {
+                    // Role has changed - update membership
+                    const updates = new app.auditLog.formatters.UpdatesCollection()
+                    const oldRole = app.auditLog.formatters.roleObject(membership.role)
+                    const role = app.auditLog.formatters.roleObject(desiredTeamMemberships[teamSlug])
+                    updates.push('role', oldRole.role, role.role)
+                    membership.role = desiredTeamMemberships[teamSlug]
+                    promises.push(membership.save().then(() => {
+                        return app.auditLog.Team.team.user.roleChanged(user, null, membership.Team, user, updates)
+                    }))
+                } else {
+                    // Role has not changed - no update needed
+                    // console.log(`no change needed for team ${teamSlug} role ${membership.role}`)
+                }
+                // Remove from the desired list as it has been dealt with
+                delete desiredTeamMemberships[teamSlug]
+            } else {
+                // console.log(`removing from team ${teamSlug}`)
+                // This team is not in the desired list - delete the membership
+                promises.push(membership.destroy().then(() => {
+                    return app.auditLog.Team.team.user.removed(user, null, membership.Team, user)
+                }))
+            }
+        }
+        // - Check remaining desired memberships
+            //   - create membership
+            for (const [teamSlug, teamRole] of Object.entries(desiredTeamMemberships)) {
+                // This is a new team membership
+                promises.push(app.db.models.Team.bySlug(teamSlug).then(team => {
+                if (team) {
+                    // console.log(`adding to team ${teamSlug} role ${teamRole}`)
+                    return app.db.controllers.Team.addUser(team, user, teamRole).then(() => {
+                        return app.auditLog.Team.team.user.added(user, null, team, user)
+                    })
+                } else {
+                    // console.log(`team not found ${teamSlug}`)
+                    // Unrecognised team - ignore
+                    return null
+                }
+            }))
+        }
+
+        await Promise.all(promises)
+    }
+
     return {
         handleLoginRequest,
         isSSOEnabledForEmail,
diff --git a/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue b/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
index f4cee705c7..03b0bcb76c 100644
--- a/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
+++ b/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
@@ -43,7 +43,7 @@
                             <template #description>Supplied by your Identity Provider</template>
                             <template #input><textarea v-model="input.options.cert" class="font-mono w-full" placeholder="---BEGIN CERTIFICATE---&#10;loremipsumdolorsitamet&#10;consecteturadipiscinge&#10;---END CERTIFICATE---&#10;" rows="6" /></template>
                         </FormRow>
-                        <FormRow v-model="input.options.groupMapping" type="checkbox">Manage roles using group assertions</FormRow>
+                        <!-- <FormRow v-model="input.options.groupMapping" type="checkbox">Manage roles using group assertions</FormRow>
                         <div v-if="input.options.groupMapping" class="pl-4 space-y-6">
                             <FormRow v-model="input.options.groupAssertionName" :error="groupAssertionNameError">
                                 Group Assertion Name
@@ -66,7 +66,7 @@
                             </FormRow>
                             <FormRow v-model="input.options.groupAdmin" type="checkbox">Manage Admin roles using group assertions</FormRow>
                             <FormRow v-if="input.options.groupAdmin" v-model="input.options.groupAdminName" :error="groupAdminNameError" class="pl-4">Admin Users SAML Group name</FormRow>
-                        </div>
+                        </div> -->
                     </template>
                     <template v-else-if="input.type === 'ldap'">
                         <FormRow v-model="input.options.server">
@@ -93,7 +93,63 @@
                         <div v-if="input.options.tls" class="pl-4 space-y-6">
                             <FormRow v-model="input.options.tlsVerifyServer" type="checkbox">Verify Server Certificate</FormRow>
                         </div>
+                        <!-- <FormRow v-model="input.options.groupMapping" type="checkbox">Manage roles using group membership</FormRow>
+                        <div v-if="input.options.groupMapping" class="pl-4 space-y-6">
+                            <FormRow v-model="input.options.groupsDN" :error="groupsDNError">
+                                Group Base DN
+                                <template #description>The name of the base object to search for groups</template>
+                            </FormRow>
+                            <FormRow v-model="input.options.groupAllTeams" :options="[{ value:true, label: 'Apply to all teams' }, { value:false, label: 'Apply to selected teams' }]">
+                                Team Scope
+                                <template #description>Should this apply to all teams on the platform, or just a restricted list of teams</template>
+                            </FormRow>
+                            <FormRow v-if="input.options.groupAllTeams === false" v-model="input.options.groupTeams" class="pl-4">
+                                <template #description>A list of team <b>slugs</b> that will managed by this configuration - one per line</template>
+                                <template #input><textarea v-model="input.options.groupTeams" class="font-mono w-full" rows="6" /></template>
+                            </FormRow>
+                            <FormRow v-if="input.options.groupAllTeams === false" v-model="input.options.groupOtherTeams" type="checkbox" class="pl-4">
+                                Allow users to be in other teams
+                                <template #description>
+                                    If enabled, users can be members of any teams not listed above and their membership/roles are not managed
+                                    by this SSO configuration.
+                                </template>
+                            </FormRow>
+                            <FormRow v-model="input.options.groupAdmin" type="checkbox">Manage Admin roles using group assertions</FormRow>
+                            <FormRow v-if="input.options.groupAdmin" v-model="input.options.groupAdminName" :error="groupAdminNameError" class="pl-4">Admin Users SAML Group name</FormRow>
+                        </div> -->
                     </template>
+                    <FormRow v-model="input.options.groupMapping" type="checkbox">Manage roles using group assertions</FormRow>
+                    <div v-if="input.options.groupMapping" class="pl-4 space-y-6">
+                        <div v-if="input.type === 'saml'">
+                            <FormRow v-model="input.options.groupAssertionName" :error="groupAssertionNameError">
+                                Group Assertion Name
+                                <template #description>The name of the SAML Assertion containing group membership details</template>
+                            </FormRow>
+                        </div>
+                        <div v-else-if="input.type === 'ldap'">
+                            <FormRow v-model="input.options.groupsDN" :error="groupsDNError">
+                                Group DN
+                                <template #description>The name of the base object to search for groups</template>
+                            </FormRow>
+                        </div>
+                        <FormRow v-model="input.options.groupAllTeams" :options="[{ value:true, label: 'Apply to all teams' }, { value:false, label: 'Apply to selected teams' }]">
+                            Team Scope
+                            <template #description>Should this apply to all teams on the platform, or just a restricted list of teams</template>
+                        </FormRow>
+                        <FormRow v-if="input.options.groupAllTeams === false" v-model="input.options.groupTeams" class="pl-4">
+                            <template #description>A list of team <b>slugs</b> that will managed by this configuration - one per line</template>
+                            <template #input><textarea v-model="input.options.groupTeams" class="font-mono w-full" rows="6" /></template>
+                        </FormRow>
+                        <FormRow v-if="input.options.groupAllTeams === false" v-model="input.options.groupOtherTeams" type="checkbox" class="pl-4">
+                            Allow users to be in other teams
+                            <template #description>
+                                If enabled, users can be members of any teams not listed above and their membership/roles are not managed
+                                by this SSO configuration.
+                            </template>
+                        </FormRow>
+                        <FormRow v-model="input.options.groupAdmin" type="checkbox">Manage Admin roles using group assertions</FormRow>
+                        <FormRow v-if="input.options.groupAdmin" v-model="input.options.groupAdminName" :error="groupAdminNameError" class="pl-4">Admin Users SAML Group name</FormRow>
+                    </div>
                     <FormRow v-model="input.options.provisionNewUsers" type="checkbox">Allow Provisioning of New Users on first login</FormRow>
                     <ff-button :disabled="!formValid" @click="updateProvider()">
                         Update configuration
@@ -139,7 +195,10 @@ export default {
                 active: false,
                 options: {
                     provisionNewUsers: false,
-                    groupMapping: false
+                    groupAssertionName: '',
+                    groupsDN: '',
+                    groupMapping: false,
+                    groupAdminName: ''
                 }
             },
             errors: {},
@@ -155,19 +214,33 @@ export default {
             return this.$route.params.id === 'create'
         },
         isGroupOptionsValid () {
+            try {
             return !this.input.options.groupMapping || (
-                this.isGroupAssertionNameValid
-                // && this.isGroupAdminNameValid
+                (this.input.options.type === 'saml' ? this.isGroupAssertionNameValid : this.isGroupsDNValid)
+                && this.isGroupAdminNameValid
             )
+            } catch (eee) {
+                console.log(eee)
+            }
         },
         isGroupAssertionNameValid () {
-            return this.input.options.groupAssertionName.length > 0
+            return this.input.options.groupAssertionName && this.input.options.groupAssertionName.length > 0
         },
         groupAssertionNameError () {
             return !this.isGroupAssertionNameValid ? 'Group Assertion name is required' : ''
         },
+        isGroupsDNValid () {
+            return this.input.options.groupsDN && this.input.options.groupsDN.length > 0
+        },
+        groupsDNError () {
+            return !this.isGroupsDNValid ? 'Group DN is required' : ''
+        },
         isGroupAdminNameValid () {
-            return !this.input.options.groupAdmin || this.input.options.groupAdminName.length > 0
+            try {
+                return !this.input.options.groupAdmin || (this.input.options.groupAdminName && this.input.options.groupAdminName.length > 0)
+            } catch (eee) {
+                console.log(eee)
+            }
         },
         groupAdminNameError () {
             return !this.isGroupAdminNameValid ? 'Admin Group name is required' : ''
@@ -221,6 +294,7 @@ export default {
                 if (!opts.options.groupMapping) {
                     // Remove any group-related config
                     delete opts.options.groupAssertionName
+                    delete opts.options.groupsDN
                     delete opts.options.groupAllTeams
                     delete opts.options.groupTeams
                     delete opts.options.groupAdmin

From 82082c4b452d3146b9b76dd58dde863a19382bd3 Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Tue, 27 Aug 2024 09:42:25 +0100
Subject: [PATCH 2/5] Add docs

---
 docs/admin/sso/README.md |  2 +-
 docs/admin/sso/ldap.md   | 60 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 60 insertions(+), 2 deletions(-)

diff --git a/docs/admin/sso/README.md b/docs/admin/sso/README.md
index 06b624b14a..5ed03df2c6 100644
--- a/docs/admin/sso/README.md
+++ b/docs/admin/sso/README.md
@@ -38,7 +38,7 @@ address in User Settings.
  LDAP based SSO allows the FlowFuse platform to authenticate users against a directory
  service provider, such as OpenLDAP.
 
- When logging in, the users credentials are passed to the serivce provider to verify.
+ When logging in, the users credentials are passed to the service provider to verify.
 
   - [Configuring LDAP SSO](ldap.md)
 
diff --git a/docs/admin/sso/ldap.md b/docs/admin/sso/ldap.md
index 65df72d5df..2b1a1ccbcb 100644
--- a/docs/admin/sso/ldap.md
+++ b/docs/admin/sso/ldap.md
@@ -69,4 +69,62 @@ option in the SOO configuration.
 
 When creating the user, the platform will use information provided by the LDAP provider
 to create the username. The user will be directed to their settings page where they
-can modify their user details to their preferred values.
\ No newline at end of file
+can modify their user details to their preferred values.
+
+## Managing Team Membership with LDAP Groups
+
+LDAP implementations can also be used to group users
+
+To enable tis option, select the `Manage roles using group assertions` in the SSO configuration.
+
+The following configuration options should then be set:
+
+- `Group DN` - this is the base DN to be used to search for group membership.
+- `Team Scope` - this determines what teams can be managed using this configuration. There are two options:
+     - `Apply to all teams` - this will allow the SAML groups to manage all teams on the platform. This is
+       suitable for a self-hosted installation of FlowFuse with a single SSO configuration for all users on
+       the platform.
+     - `Apply to selected teams` - this will restrict what teams can be managed to the provided list. This
+       is suitable for shared-tenancy platforms with multiple SSO configurations for different groups of users,
+       such as FlowFuse Cloud.
+       When this option is selected, an additional option is available - `Allow users to be in other teams`. This
+       will allow users who sign-in via this SSO configuration to be members of teams not in the list above.
+       Their membership of those teams will not be managed by the SSO groups.
+       If that option is disabled, then the user will be removed from any teams not in the list above.
+
+### LDAP Groups configuration
+
+A user's team membership is managed by what groups they are in. When the user logs in, the LDAP provider
+will be queried for a list of groups they are a member of. This can be either as a `member` or `uniqueMember` of a `groupOfNames` or `groupOfUniqueNames` respectively.
+
+The group name is used to identify a team, using its slug property, and the user's role in the team.
+The name must take the form `ff-<team>-<role>`. For example, the group `ff-development-owner` will
+container the owners of the team `development`.
+
+The valid roles for a user in a team are:
+ - `owner`
+ - `member`
+ - `viewer`
+ - `dashboard`
+
+*Note*: this uses the team slug property to identify the team. This has been chosen to simplify managing
+the groups in the LDAP Provider - rather than using the team's id. However, a team's slug can be changed
+by a team owner. Doing so will break the link between the group and the team membership - so should only
+be done with care.
+
+## Managing Admin users
+
+The SSO Configuration can be configured to managed the admin users of the platform by enabling the
+`Manage Admin roles using group assertions` option. Once enabled, the name of a group can be provided
+that will be used to identify whether a user is an admin or not.
+
+**Note:* the platform will refuse to remove the admin flag from a user if they are the only admin
+on the platform. It is *strongly* recommended to have an admin user on the system that is not
+managed via SSO to ensure continued access in case of any issues with the SSO provider.
+
+
+## Providers
+
+The following is the node-exhaustive list of the providers that are known to work with FlowFuse LDAP SSO.
+
+- [OpenLDAP](https://www.openldap.org/)

From 162c053f617e949e57280cb82a7ec437676e7265 Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Tue, 27 Aug 2024 10:00:09 +0100
Subject: [PATCH 3/5] fix lint

---
 forge/ee/lib/sso/index.js                          |  9 ++++-----
 .../admin/Settings/SSO/createEditProvider.vue      | 14 +++-----------
 2 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/forge/ee/lib/sso/index.js b/forge/ee/lib/sso/index.js
index bbfed10bf0..4fac8059ca 100644
--- a/forge/ee/lib/sso/index.js
+++ b/forge/ee/lib/sso/index.js
@@ -441,7 +441,6 @@ module.exports.init = async function (app) {
         const desiredTeamMemberships = {}
         const groupRegEx = /^ff-(.+)-([^-]+)$/
         for (const i in searchEntries) {
-            
             const match = groupRegEx.exec(searchEntries[i].cn)
             if (match) {
                 app.log.debug(`Found group ${searchEntries[i].cn} for user ${user.username}`)
@@ -533,10 +532,10 @@ module.exports.init = async function (app) {
             }
         }
         // - Check remaining desired memberships
-            //   - create membership
-            for (const [teamSlug, teamRole] of Object.entries(desiredTeamMemberships)) {
-                // This is a new team membership
-                promises.push(app.db.models.Team.bySlug(teamSlug).then(team => {
+        //   - create membership
+        for (const [teamSlug, teamRole] of Object.entries(desiredTeamMemberships)) {
+            // This is a new team membership
+            promises.push(app.db.models.Team.bySlug(teamSlug).then(team => {
                 if (team) {
                     // console.log(`adding to team ${teamSlug} role ${teamRole}`)
                     return app.db.controllers.Team.addUser(team, user, teamRole).then(() => {
diff --git a/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue b/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
index 03b0bcb76c..f4956218fc 100644
--- a/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
+++ b/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
@@ -214,14 +214,10 @@ export default {
             return this.$route.params.id === 'create'
         },
         isGroupOptionsValid () {
-            try {
             return !this.input.options.groupMapping || (
-                (this.input.options.type === 'saml' ? this.isGroupAssertionNameValid : this.isGroupsDNValid)
-                && this.isGroupAdminNameValid
+                (this.input.options.type === 'saml' ? this.isGroupAssertionNameValid : this.isGroupsDNValid) &&
+                  this.isGroupAdminNameValid
             )
-            } catch (eee) {
-                console.log(eee)
-            }
         },
         isGroupAssertionNameValid () {
             return this.input.options.groupAssertionName && this.input.options.groupAssertionName.length > 0
@@ -236,11 +232,7 @@ export default {
             return !this.isGroupsDNValid ? 'Group DN is required' : ''
         },
         isGroupAdminNameValid () {
-            try {
-                return !this.input.options.groupAdmin || (this.input.options.groupAdminName && this.input.options.groupAdminName.length > 0)
-            } catch (eee) {
-                console.log(eee)
-            }
+            return !this.input.options.groupAdmin || (this.input.options.groupAdminName && this.input.options.groupAdminName.length > 0)
         },
         groupAdminNameError () {
             return !this.isGroupAdminNameValid ? 'Admin Group name is required' : ''

From d102a07629ff336638169af35e8d0b6df9d2b29a Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Tue, 27 Aug 2024 14:48:16 +0100
Subject: [PATCH 4/5] Apply suggestions from code review

Co-authored-by: Stephen McLaughlin <44235289+Steve-Mcl@users.noreply.github.com>
---
 docs/admin/sso/ldap.md                        |  4 ++--
 forge/ee/lib/sso/index.js                     |  3 +--
 .../admin/Settings/SSO/createEditProvider.vue | 24 -------------------
 3 files changed, 3 insertions(+), 28 deletions(-)

diff --git a/docs/admin/sso/ldap.md b/docs/admin/sso/ldap.md
index 2b1a1ccbcb..6ec1829491 100644
--- a/docs/admin/sso/ldap.md
+++ b/docs/admin/sso/ldap.md
@@ -75,7 +75,7 @@ can modify their user details to their preferred values.
 
 LDAP implementations can also be used to group users
 
-To enable tis option, select the `Manage roles using group assertions` in the SSO configuration.
+To enable this option, select the `Manage roles using group assertions` in the SSO configuration.
 
 The following configuration options should then be set:
 
@@ -114,7 +114,7 @@ be done with care.
 
 ## Managing Admin users
 
-The SSO Configuration can be configured to managed the admin users of the platform by enabling the
+The SSO Configuration can be configured to manage the admin users of the platform by enabling the
 `Manage Admin roles using group assertions` option. Once enabled, the name of a group can be provided
 that will be used to identify whether a user is an admin or not.
 
diff --git a/forge/ee/lib/sso/index.js b/forge/ee/lib/sso/index.js
index 4fac8059ca..d7e238d532 100644
--- a/forge/ee/lib/sso/index.js
+++ b/forge/ee/lib/sso/index.js
@@ -431,8 +431,7 @@ module.exports.init = async function (app) {
     // LDAP Group Membership
     async function updateTeamMembershipLDAP (adminClient, user, userDN, providerOpts) {
         const filter = `(|(uniqueMember=${userDN})(member=${userDN}))`
-        // const { searchEntries } = await adminClient.search(providerOpts.options.groupsDN, {
-        const { searchEntries } = await adminClient.search('ou=groups,dc=hardill,dc=me,dc=uk', {
+        const { searchEntries } = await adminClient.search(providerOpts.options.groupsDN, {
             filter,
             attributes: ['cn']
         })
diff --git a/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue b/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
index f4956218fc..4f0845ea7d 100644
--- a/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
+++ b/frontend/src/pages/admin/Settings/SSO/createEditProvider.vue
@@ -93,30 +93,6 @@
                         <div v-if="input.options.tls" class="pl-4 space-y-6">
                             <FormRow v-model="input.options.tlsVerifyServer" type="checkbox">Verify Server Certificate</FormRow>
                         </div>
-                        <!-- <FormRow v-model="input.options.groupMapping" type="checkbox">Manage roles using group membership</FormRow>
-                        <div v-if="input.options.groupMapping" class="pl-4 space-y-6">
-                            <FormRow v-model="input.options.groupsDN" :error="groupsDNError">
-                                Group Base DN
-                                <template #description>The name of the base object to search for groups</template>
-                            </FormRow>
-                            <FormRow v-model="input.options.groupAllTeams" :options="[{ value:true, label: 'Apply to all teams' }, { value:false, label: 'Apply to selected teams' }]">
-                                Team Scope
-                                <template #description>Should this apply to all teams on the platform, or just a restricted list of teams</template>
-                            </FormRow>
-                            <FormRow v-if="input.options.groupAllTeams === false" v-model="input.options.groupTeams" class="pl-4">
-                                <template #description>A list of team <b>slugs</b> that will managed by this configuration - one per line</template>
-                                <template #input><textarea v-model="input.options.groupTeams" class="font-mono w-full" rows="6" /></template>
-                            </FormRow>
-                            <FormRow v-if="input.options.groupAllTeams === false" v-model="input.options.groupOtherTeams" type="checkbox" class="pl-4">
-                                Allow users to be in other teams
-                                <template #description>
-                                    If enabled, users can be members of any teams not listed above and their membership/roles are not managed
-                                    by this SSO configuration.
-                                </template>
-                            </FormRow>
-                            <FormRow v-model="input.options.groupAdmin" type="checkbox">Manage Admin roles using group assertions</FormRow>
-                            <FormRow v-if="input.options.groupAdmin" v-model="input.options.groupAdminName" :error="groupAdminNameError" class="pl-4">Admin Users SAML Group name</FormRow>
-                        </div> -->
                     </template>
                     <FormRow v-model="input.options.groupMapping" type="checkbox">Manage roles using group assertions</FormRow>
                     <div v-if="input.options.groupMapping" class="pl-4 space-y-6">

From dbe5dbe285ef6d09b9c7abe0335a84d10dc5e741 Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Wed, 28 Aug 2024 10:40:49 +0100
Subject: [PATCH 5/5] Update forge/ee/lib/sso/index.js

---
 forge/ee/lib/sso/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/forge/ee/lib/sso/index.js b/forge/ee/lib/sso/index.js
index d7e238d532..d211814a94 100644
--- a/forge/ee/lib/sso/index.js
+++ b/forge/ee/lib/sso/index.js
@@ -431,7 +431,7 @@ module.exports.init = async function (app) {
     // LDAP Group Membership
     async function updateTeamMembershipLDAP (adminClient, user, userDN, providerOpts) {
         const filter = `(|(uniqueMember=${userDN})(member=${userDN}))`
-        const { searchEntries } = await adminClient.search(providerOpts.options.groupsDN, {
+        const { searchEntries } = await adminClient.search(providerOpts.groupsDN, {
             filter,
             attributes: ['cn']
         })