MobSF · Antiksec · Feb 6, 2025 · Feb 6, 2025 · Feb 6, 2025 · Feb 6, 2025
diff --git a/mobsf/MobSF/settings.py b/mobsf/MobSF/settings.py
@@ -379,8 +379,9 @@
 IDP_SSO_URL = os.getenv('MOBSF_IDP_SSO_URL')
 IDP_X509CERT = os.getenv('MOBSF_IDP_X509CERT')
 IDP_IS_ADFS = os.getenv('MOBSF_IDP_IS_ADFS', '0')
-IDP_MAINTAINER_GROUP = os.getenv('MOBSF_IDP_MAINTAINER_GROUP', 'Maintainer')
-IDP_VIEWER_GROUP = os.getenv('MOBSF_IDP_VIEWER_GROUP', 'Viewer')
+IDP_MAINTAINER_GROUP = os.getenv('MOBSF_IDP_MAINTAINER_GROUP', 'Maintainer').split(',')
+IDP_VIEWER_GROUP = os.getenv('MOBSF_IDP_VIEWER_GROUP', 'Viewer').split(',')
+IDP_MOBSF_DEFAULT_GROUP = os.getenv('MOBSF_IDP_DEFAULT_GROUP')
 # SP Configuration
 SP_HOST = os.getenv('MOBSF_SP_HOST')
 SP_ALLOW_PASSWORD = os.getenv('MOBSF_SP_ALLOW_PASSWORD', '0')

diff --git a/mobsf/MobSF/views/authorization.py b/mobsf/MobSF/views/authorization.py
@@ -49,8 +49,8 @@ class Permissions(Enum):
     DELETE = f'StaticAnalyzer.{PERM_CAN_DELETE}'
 
 
-MAINTAINER_GROUP = settings.IDP_MAINTAINER_GROUP
-VIEWER_GROUP = settings.IDP_VIEWER_GROUP
+MAINTAINER_GROUP = 'Maintainer'
+VIEWER_GROUP = 'Viewer'
 
 
 def permission_required(perm):

diff --git a/mobsf/MobSF/views/saml2.py b/mobsf/MobSF/views/saml2.py
@@ -127,10 +127,19 @@ def get_redirect_url(req):
 
 def get_user_role(roles):
     """Get user role."""
-    mrole = any(MAINTAINER_GROUP.lower() in gp.lower() for gp in roles)
-    if mrole:
+    maintainer_groups = [g.lower() for g in settings.IDP_MAINTAINER_GROUP]
+    viewer_groups = [g.lower() for g in settings.IDP_VIEWER_GROUP]
+    user_roles = [gp.lower() for gp in roles]
+    mrole = any(gp in maintainer_groups for gp in user_roles)
+    vrole = any(gp in viewer_groups for gp in user_roles)
+    if mrole or settings.IDP_MOBSF_DEFAULT_GROUP == 'Maintainer':
+        logger.info('User assigned to %s group.', MAINTAINER_GROUP)
         return MAINTAINER_GROUP
-    return VIEWER_GROUP
+    elif vrole or settings.IDP_MOBSF_DEFAULT_GROUP == 'Viewer':
+        logger.info('User assigned to %s group.', VIEWER_GROUP)
+        return VIEWER_GROUP
+    logger.warning('User does not have an authorized SSO group.')
+    return None
 
 
 @require_http_methods(['GET'])
@@ -174,6 +183,9 @@ def saml_acs(request):
                 'role attribute not found in SAML response.')
         email = attributes['email'][0]
         role = get_user_role(attributes['role'])
+        if not role:
+            raise Exception(
+                'You do not have an authorized SSO group.')
         if User.objects.filter(username=email).exists():
             user = User.objects.get(username=email)
             user.groups.clear()