Map Burrow admins to Zulip owners

Enable Zulip SAML auto signup
2026-04-19 03:43:57 -07:00 · 2026-04-19 03:37:42 -07:00
3 changed files with 25 additions and 1 deletions
--- a/Scripts/authentik-sync-zulip-saml.sh
+++ b/Scripts/authentik-sync-zulip-saml.sh
@ -10,6 +10,7 @@ acs_url="${AUTHENTIK_ZULIP_ACS_URL:-https://chat.burrow.net/complete/saml/}"
 audience="${AUTHENTIK_ZULIP_AUDIENCE:-https://chat.burrow.net}"
 launch_url="${AUTHENTIK_ZULIP_LAUNCH_URL:-https://chat.burrow.net/}"
 access_group="${AUTHENTIK_ZULIP_ACCESS_GROUP:-}"
+admin_group="${AUTHENTIK_ZULIP_ADMIN_GROUP:-}"
 issuer="${AUTHENTIK_ZULIP_ISSUER:-$authentik_url}"

 usage() {
@ -28,6 +29,7 @@ Optional environment:
  AUTHENTIK_ZULIP_AUDIENCE
  AUTHENTIK_ZULIP_LAUNCH_URL
  AUTHENTIK_ZULIP_ACCESS_GROUP
+  AUTHENTIK_ZULIP_ADMIN_GROUP
  AUTHENTIK_ZULIP_ISSUER
 EOF
 }
@ -257,6 +259,17 @@ last_name_mapping_pk="$(
    $'parts = (request.user.name or "").rsplit(" ", 1)\nif len(parts) == 2 and parts[1]:\n    return parts[1]\nreturn request.user.username'
 )"

+role_mapping_pk=""
+if [[ -n "$admin_group" ]]; then
+  role_mapping_pk="$(
+    reconcile_property_mapping \
+      "Burrow Zulip SAML Role" \
+      "zulip_role" \
+      "zulip_role" \
+      $'admin_group = "'$admin_group$'"\nif any(group.name == admin_group for group in request.user.ak_groups.all()):\n    return "owner"\nreturn None'
+  )"
+fi
+
 if [[ -z "$email_mapping_pk" || -z "$name_mapping_pk" || -z "$first_name_mapping_pk" || -z "$last_name_mapping_pk" ]]; then
  echo "error: failed to reconcile Zulip SAML property mappings" >&2
  exit 1
@ -276,6 +289,7 @@ provider_payload="$(
    --arg name_mapping "$name_mapping_pk" \
    --arg first_name_mapping "$first_name_mapping_pk" \
    --arg last_name_mapping "$last_name_mapping_pk" \
+    --arg role_mapping "$role_mapping_pk" \
    '{
      name: $name,
      authorization_flow: $authorization_flow,
@ -293,7 +307,7 @@ provider_payload="$(
        $name_mapping,
        $first_name_mapping,
        $last_name_mapping
-      ]
+      ] + (if $role_mapping != "" then [$role_mapping] else [] end)
    }'
 )"

--- a/nixos/modules/burrow-authentik.nix
+++ b/nixos/modules/burrow-authentik.nix
@ -956,6 +956,7 @@ EOF
        ${lib.optionalString (cfg.zulipAccessGroupName != null) ''
          export AUTHENTIK_ZULIP_ACCESS_GROUP=${lib.escapeShellArg cfg.zulipAccessGroupName}
        ''}
+        export AUTHENTIK_ZULIP_ADMIN_GROUP=${lib.escapeShellArg cfg.adminGroupName}

        ${pkgs.bash}/bin/bash ${zulipSamlSyncScript}
      '';
--- a/nixos/modules/burrow-zulip.nix
+++ b/nixos/modules/burrow-zulip.nix
@ -373,6 +373,8 @@ services:
                "entity_id": "https://${cfg.authentikDomain}",
                "url": "https://${cfg.authentikDomain}/application/saml/${cfg.authentikProviderSlug}/sso/binding/redirect/",
                "display_name": "burrow.net",
+                "auto_signup": True,
+                "extra_attrs": ["zulip_role"],
                "x509cert": """$saml_cert""",
                "attr_user_permanent_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
                "attr_username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
@ -381,6 +383,13 @@ services:
                "attr_last_name": "lastName",
            },
        }
+        SOCIAL_AUTH_SYNC_ATTRS_DICT = {
+            "authentik": {
+                "saml": {
+                    "role": "zulip_role",
+                },
+            },
+        }
 EOF
      '';
    };
Author	SHA1	Message	Date
Conrad Kramer	eb9327a99f	Map Burrow admins to Zulip owners Some checks failed Build Site / Next.js Build (push) Failing after 2s Details Lint Governance / BEP Metadata (push) Successful in 0s Details Build Rust / Cargo Test (push) Successful in 4m2s Details	2026-04-19 03:43:57 -07:00
Conrad Kramer	5598fc18fc	Enable Zulip SAML auto signup	2026-04-19 03:37:42 -07:00