Use SAML attribute values in ACLs

[quartje]

I am trying to reuse the groups that our identity provider supplies in a SAML attribute.
There is no native support for this (ie that omni extracts the SAML group attribute value and passes it to Kubernetes). So I am trying to achieve this using ACLs. I've not yet been able to get this working. What I am trying is the following:

SAML attribute with group information: urn:mace:dir:attribute-def:isMemberOf
Attribute values:

• urn:mace:surf.nl:invite.surfconext.nl:26c7488b-befa-48ba-b860-78168288e51f:sdp_team1_adm
• urn:mace:surf.nl:invite.surfconext.nl:9737992e-661b-42db-929e-faffd9631fe3:sdp_team2_adm

If I understand it correctly, all SAML attributes are mapped to identity labels in the form
saml.omni.sidero.dev/$SAML_ATTRIBUTE_NAME/$SAML_ATTRIBUTE_VALUE
So these two attribute values would map to:

saml.omni.sidero.dev/urn:mace:dir:attribute-def:isMemberOf/urn:mace:surf.nl:invite.surfconext.nl:26c7488b-befa-48ba-b860-78168288e51f:sdp_team1_adm
saml.omni.sidero.dev/urn:mace:dir:attribute-def:isMemberOf/urn:mace:surf.nl:invite.surfconext.nl:9737992e-661b-42db-929e-faffd9631fe3:sdp_team2_adm

So I would now be able to map these to Omni groups, using an ACL like this:

metadata:
  namespace: default
  type: AccessPolicies.omni.sidero.dev
  id: access-policy
spec:
  usergroups:
    team_adm:
      users:
      - labelselectors:
          - "saml.omni.sidero.dev/urn:mace:dir:attribute-def:isMemberOf/urn:mace:surf.nl:invite.surfconext.nl:26c7488b-befa-48ba-b860-78168288e51f:sdp_team1_adm="

  rules:
    - users:
        - group/team_adm
      clusters:
        - dev
        - staging
        - production
      kubernetes:
        impersonate:
          groups:
            - team_adm

This doesn't work.
I've also tried starting omni with the following parameter:
--auth-saml-label-rules={"urn:mace:dir:attribute-def:isMemberOf": "groups"}
and
--auth-saml-label-rules={"groups": "urn:mace:dir:attribute-def:isMemberOf" }
The documentation is not clear what maps to what ...
If I understand it correctly, that option should add identity labels with the values of the group attributes, like this:
saml.omni.sidero.dev/groups/urn:mace:surf.nl:invite.surfconext.nl:26c7488b-befa-48ba-b860-78168288e51f:sdp_team1_adm
I've tried adding that as label selector, but that also does not work.
I also do not see any labels in the Omni user interface under settings/users
I've not found another way to debug this, I am not able to check what labels I actually get.

So my questions are:
Is my assumption correct on how identity labels are created?
Is my syntax correct in the ACL?
Is this currently the recommended way?
How can I debug this further?
What does the option --auth-saml-label-rules exactly do, and which way around is the mapping?
Additionaly, I saw this issue: #1201 which suggests that SAMLlabelrules are not updated upon login. Is that also true for the identity labels?

Thanks!

[quartje]

apparently, it works when I set --auth-saml-label-rules={"urn:mace:dir:attribute-def:isMemberOf": "groups"}
I am not sure why this did not work before. I also see the labels now. Closing this discussion for now!