-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SAML 2.0 as Login-Source (Service Provider) #5512
Comments
@frostieDE which IDP are you using (so that it can be tested against)? |
gSuite/Google Admin is a good test |
We are using an own implementation of a SAML IdP, you may use https://github.com/capriza/samling or https://simplesamlphp.org/ for testing (but I hope there is a library for SAML stuff) :-) |
@frostieDE Very interesting with regards to your IdP implementation. I too think this would be a great feature for Gitea. |
This library looks promising: https://github.com/crewjam/saml Unfortunately, I do not have any experience with Go programming 😄 |
I was also looking for a good way to extend our G Suite identities into Gitea. Any thoughts on this internally @techknowlogick ? |
I have experience integrating Go web applications with IBM's SAML infrastructure. I've successfully used https://github.com/russellhaering/gosaml2 for the task. |
@d-Pixie you could use OpenID Connect (Oauth2) for GSuite for now. I second @lpar's suggestion of https://github.com/russellhaering/gosaml2 as having used it and crewjam's, I prefer ressell's. |
Is SAML supported? I'm confused. |
As SAML based authentication has lots of login flow scenarios with libraries in different languages supporting them often poorly, I'd suggest leaving the heavy SAML2 lifting to a proxy/preauthentication scenario. How it would work:
|
@fuero Good idea, this would allow Gitea to "support" any authentication scheme available. To extend this approach:
|
This is a bad idea! This would blow GITEA up alot! SAML2, or OIDC for that matter, are quite simple (you do not have to integrate everithing since gitea needs to act as a service and not as an IDP. And since oAuth is already incoperated into gitea OIDC is just a "small" addon. If you are making use of well known libaries like (https://github.com/crewjam/saml), it will be mor complicatetd to come up with a well designed user admin interface.... I am always a fan of doing the security right in the application not infront of the application. |
Isn't there at the moment any workaround to get SSO in GitTea? |
Gitea already supports OpenID Connect (OIDC) / OAuth2. If your identity provider does only support SAML, you can implement a middle-man service to "translate" between SAML & OIDC. Keycloak can do that, it is a little bit heavy to configure but it does its job well. There are maybe also alternatives to Keycloak which can do the same. |
Thanks! I am still a noob in SSO, SAML and OIDC. I have to educate myself a bit more in these topics. Does it have to be KeyCloak for some reason? Or does Authentik for example also work? |
Following their comparison chart, Authentik seems to support this as they can provide OIDC and support federating with SAML. So it should be possible. |
I'm using Gitea with Authentic OpenID as in their docs. It works but I still have some issues which at the first glance don't have anything to do with this auth provider. Namely Gitea doesn't set session cookie expiration time and my users keep complaining they need to do 5 click sign-in too often. Obviously this isn't quite SSO yet but this shouldn't be hard to fix. |
@timka @Zocker1999NET , thank you both! Should there be any difference between using Authentik or KeyCloak for this puprose? I don't think so right? |
I haven't used KeyCloak. I've chosen Authentic simply b/c it's not Java and
has more features.
…On Tue, 25 Oct 2022 at 20:50, Mohammed Noureldin ***@***.***> wrote:
@timka <https://github.com/timka> @Zocker1999NET
<https://github.com/Zocker1999NET> , thank you both! Should there be any
difference between using Authentik or KeyCloak? I don't think so right?
—
Reply to this email directly, view it on GitHub
<#5512 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAU6AR2J37MSRILO5IXPVTWFAMV3ANCNFSM4GJNSWCQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Timur Izhbulatov
+7 (910) 4604059
|
Don't know much about Authentik (have only used Keycloak until now) but it seems to me that Keycloak is the "can more than you need & want" solution (highly adaptable but sometimes a mess to configure & some features require custom JavaScript code extensions) and Authentik looks more like the "Apple" solution to me (may has not all features you may dream of, but is much easier to configure). I think for your use case, Authentik should be good enough & the better choice. |
This comment was marked as outdated.
This comment was marked as outdated.
... but that's an addition to the initial support I would say :) |
hey @wfjake let me know if you'd like some help, i'm definitely interested in this feature as well! |
Closes #5512 This PR adds basic SAML support - Adds SAML 2.0 as an auth source - Adds SAML configuration documentation - Adds integration test: - Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default) - Adds documentation for configuring and running SAML integration test locally Future PRs: - Support group mapping - Support auto-registration (account linking) Co-Authored-By: @jackHay22 --------- Co-authored-by: jackHay22 <jack@allspice.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: morphelinho <morphelinho@users.noreply.github.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
This reverts #25165 (5bb8d19), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again #25165 (comment) temporary Open #5512 again
Closes go-gitea#5512 This PR adds basic SAML support - Adds SAML 2.0 as an auth source - Adds SAML configuration documentation - Adds integration test: - Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default) - Adds documentation for configuring and running SAML integration test locally Future PRs: - Support group mapping - Support auto-registration (account linking) Co-Authored-By: @jackHay22 --------- Co-authored-by: jackHay22 <jack@allspice.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: morphelinho <morphelinho@users.noreply.github.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
It would be nice to be able to configure Gitea as a SAML service provider in order to integrate Gitea with a corporate Single-Sign-On mechanism.
The text was updated successfully, but these errors were encountered: