First implementation of SAML teams mapping

[the-glu]

Description

Hello,

This is a basic implementation of #3846: It add possibility to map kimai's team from a SAML attribute.
It's also allow setting the leadership 'attribute' of a user in a team.

This PR currently lacks tests and documentations, I wanted first to be sure the implementation direction is ok :)

Feedback is welcome, my PHP is a bit rusty ^^'

===> PR for documentation: kimai/www.kimai.org#423

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I verified that my code applies to the guidelines (composer code-check)
• I updated the documentation (see here)
• I agree that this code is used in Kimai (see license)

[kevinpapst]

Thanks @the-glu for giving this a try 👍

Code-wise it looks good (haven't checked details, but the overall view is great), .
Maybe we should add a big try & catch - so login doesn't fail in case of issues with the teams.

Now as you mentioned: tests are missing and documentation.
Can you share how you tested this?

I'd like to try it, but I don't have a Keycloak setup, so I need either Azure AD or Google Workspace.
How does one setup Teams on IDP side?

[mastertIT]

@the-glu what's the syntax in the local.yaml config for this?

from the code it looks like another line in the mapping section?

would like to test this.

[the-glu]

Hello,

Great, I will add tests and documentation as soon as possible :)

I tested with our internal SSO but it should works with any SSO. If you like I can make you a Keycloak available somewhere with some basic configuration.

@mastertIT

For the syntax in the local.yaml config for testing:

kimai:
    saml:
        provider: google
        activate: true
        title: Login with SAML
(...)
        roles:
(...)
        teams:
            resetOnLogin: true
            attribute: groups
            mapping:
                - { saml: testgrsp, kimai: 7, leader: false }
(...)

Saml attribute is the value in the attribute list (that you specify on the line before), kimai is the team id on the kimai side (edit a team and check the URL for the ID), leader is if the user should be leader or not of the team :)

[mastertIT]

works in my lab

[kevinpapst]

An approval is too early 😁 but great feedback 🚀

[CLAassistant]

All committers have signed the CLA.

[kevinpapst]

Thanks! A few small things to check.

[kevinpapst]

Suggested change

	public function getTeamsMapping(): array
	/**
	* @return array<int, array{'saml': string, 'kimai': int, 'leader': string}>
	*/
	public function getTeamsMapping(): array

Please check if that is correct.
Then add the same for the Interface and then you can remove the PHPStan ignores as well.
The PHPStan baseline can only be reduced, but no new ones should be added.

[kevinpapst]

I do not like repository magic methods. Please change that to:

Suggested change

	$team = $this->teamRepository->findById($field)[0];
	$team = $this->teamRepository->findOneBy(['id' => $field]);
	if ($team !== null) {
	...

[kevinpapst]

Do we even need the boolean? Can't you replace the break by a continue 2?