Update GitLab OIDC to SAML by default #102
Assignees
Labels
enhancement ✨
New feature or request
Comments
|
When doing this we should normalize this package with helm best practices and the new sonarqube package's way of doing things - namely providing consistent values keys for sso configuration (i.e. This will be a breaking change so we should call that out in the release notes / PR (with a |
|
Ignore that previous comment - this is being done here: #115 |
|
Normalization should still happen though where we still need to do it though |
Merged
5 tasks
|
Need this PR merged and a new release of uds-core to finish testing. defenseunicorns/uds-identity-config#77 EDIT: PR to uds-identity-config is merged and included in uds-core main. Just waiting on uds-core next release. |
5 tasks
Racer159
added a commit
that referenced
this issue
May 24, 2024
## Description This PR adds saml protocol support for SSO and sets it as the default. To go back to OIDC, set the value `sso.protocol` to `openid_connect` (example in `bundle/uds-config.yaml`) Also, when `saml` is set as the protocol, this also enables granting admin access to gitlab using keycloak group membership. By default, being a member of either `/GitLab Admin` or `/UDS Core/Admin` in keycloak will grant GitLab admin access. ## Related Issue Relates to #102 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
As Ezra I want SAML to be the default GitLab auth so that I can have a more secure default for larger environments.
Describe the solution you'd like
Describe alternatives you've considered
We could leave it as is with OIDC but this is less secure: https://github.com/defenseunicorns/uds-package-gitlab/blob/main/adr/0002-keycloak-integration.md#decision
Additional context
This should minimize breakage for consumers - an option to keep OIDC for those that have / want it should be considered.
The text was updated successfully, but these errors were encountered: