From 0851c72e3093816b5a2cdd21d555984d0478d3e4 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 1 Mar 2017 14:58:21 -0500
Subject: [PATCH] Add support for OIDC binding field to the setup tool

---
 .../directives/config/config-setup-tool.html  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/static/directives/config/config-setup-tool.html b/static/directives/config/config-setup-tool.html
index 8e045ea28..12caf46cd 100644
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@@ -950,6 +950,10 @@
             <span style="display: inline-block; margin-left: 10px">(<a href="javascript:void(0)" ng-click="removeOIDCProvider(provider)">Delete</a>)</span>
           </div>
           <div class="co-panel-body">
+            <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE != 'Database' && !(config[provider].LOGIN_BINDING_FIELD)">
+              Warning: This OIDC provider is not bound to your <strong>{{ config.AUTHENTICATION_TYPE }}</strong> authentication. Logging in via this provider will create a <strong><span class="registry-name"></span>-only user</strong>, which is not the recommended approach. It is <strong>highly</strong> recommended to choose a "Binding Field" below.
+            </div>
+
             <table class="config-table">
               <tr>
                 <td class="non-input">Service ID:</td>
@@ -995,6 +999,26 @@
                   </div>
                 </td>
               </tr>
+              <tr ng-if="config.AUTHENTICATION_TYPE != 'Database'">
+                <td>Binding Field:</td>
+                <td>
+                  <select class="form-control" ng-model="config[provider].LOGIN_BINDING_FIELD">
+                    <option value="">(None)</option>
+                    <option value="sub">Subject (User ID)</option>
+                    <option value="username">Username</option>
+                    <option value="email">E-mail address</option>
+                  </select>
+                  <div class="help-text">
+                    If selected, when a user logs in via this OIDC provider, they will be automatically bound to their user in <strong>{{ config.AUTHENTICATION_TYPE }}</strong> by matching the selected field from the OIDC provider to the associated user in {{ config.AUTHENTICATION_TYPE }}.
+                  </div>
+                  <div class="help-text">
+                    For example, selecting <code>Subject</code> here with a backing authentication system of LDAP means that a user logging in via this OIDC provider will also be bound to their user in LDAP by username.
+                  </div>
+                  <div class="help-text">
+                    If none selected, a <strong>user unique to <span class="registry-name"></span></strong> will be created on initial login with this OIDC provider. <strong>This is not the recommended setup.</strong>
+                  </div>
+                </td>
+              </tr>
             </table>
 
           </div>