-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update GitLab OIDC to SAML by default #102
Comments
When doing this we should normalize this package with helm best practices and the new sonarqube package's way of doing things - namely providing consistent values keys for sso configuration (i.e. This will be a breaking change so we should call that out in the release notes / PR (with a |
Ignore that previous comment - this is being done here: #115 |
Normalization should still happen though where we still need to do it though |
Need this PR merged and a new release of uds-core to finish testing. defenseunicorns/uds-identity-config#77 EDIT: PR to uds-identity-config is merged and included in uds-core main. Just waiting on uds-core next release. |
## Description This PR adds saml protocol support for SSO and sets it as the default. To go back to OIDC, set the value `sso.protocol` to `openid_connect` (example in `bundle/uds-config.yaml`) Also, when `saml` is set as the protocol, this also enables granting admin access to gitlab using keycloak group membership. By default, being a member of either `/GitLab Admin` or `/UDS Core/Admin` in keycloak will grant GitLab admin access. ## Related Issue Relates to #102 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
Is your feature request related to a problem? Please describe.
As Ezra I want SAML to be the default GitLab auth so that I can have a more secure default for larger environments.
Describe the solution you'd like
Describe alternatives you've considered
We could leave it as is with OIDC but this is less secure: https://github.com/defenseunicorns/uds-package-gitlab/blob/main/adr/0002-keycloak-integration.md#decision
Additional context
This should minimize breakage for consumers - an option to keep OIDC for those that have / want it should be considered.
The text was updated successfully, but these errors were encountered: