No description
- Python 100%
| tests | ||
| view | ||
| .gitignore | ||
| __init__.py | ||
| COPYRIGHT | ||
| README.md | ||
| requirements.txt | ||
| res.py | ||
| res.xml | ||
| saml.py | ||
| tryton.cfg | ||
SAML JIT User Provisioning for Tryton
Just-In-Time user provisioning with Keycloak SAML. Auto-creates users, syncs groups, and creates employee records on first login.
Author: Jan Grasnick License: GPL-3
Installation
trytond-admin -d <database> -u saml_user_jit
Configuration
1. Keycloak SAML Client
Create a SAML client and add these mappers:
| Type | Name | Property | SAML Attribute Name |
|---|---|---|---|
| Group list | groups | - | groups |
| User Property | firstName | firstName | givenName |
| User Property | lastName | lastName | sn |
| User Property | username | username | username |
Important: Set "Full group path: ON" in the Group list mapper.
2. Tryton trytond.conf
[authentication_saml]
keycloak = Single Sign On
[authentication_saml keycloak]
metadata = /path/to/keycloak/metadata.xml
config = /path/to/keycloak_saml.py
login = username
[authentication_saml_jit]
required_group = /tryton
group_attribute = groups
3. PySAML2 config (keycloak_saml.py)
CONFIG = {
"entityid": "tryton-saml",
"accepted_time_diff": 120,
"service": {
"sp": {
"name": "Tryton ERP",
"endpoints": {
"assertion_consumer_service": [
("https://tryton.example.com/<database>/authentication/saml/keycloak/acs",
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"),
],
},
"allow_unsolicited": True,
"authn_requests_signed": False,
"logout_requests_signed": False,
"want_assertions_signed": True,
"want_response_signed": True,
}
},
"metadata": {
"local": ["/path/to/keycloak/metadata.xml"]
},
}
4. Tryton groups
Set external_id on res.group to match Keycloak group paths (e.g., /tryton, /sales). Only groups with external_id are synced.
How it works
- User authenticates via SAML
- Gate checks for required group (
/tryton) - User created if not exists
- Groups synced via
external_id - Employee record created
- Name synced from IdP on every login