-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SAML authentication #25165
Support SAML authentication #25165
Conversation
FYI, I'm doing some testing of this against a CAS IdP. A few things I'm noticing so far:
I've not gotten a successful handshake to work yet (getting an "invalid transform" from the AuthN signature on my IdP, but I'm thinking that's an IdP setting), but I'm imagining that ultimately the response is validated (somehow) against the "Authentication Sign-In Name" on the "Edit User" page (my original thought was matching NameIDs but that obv won't work for transients). Were you thinking of the ability to map specific response attributes to Gitea user fields? And/or auto-provisioning? I'm happy to start picking away at the things I mentioned above, I just don't want to step on any toes. |
@bwinston-sdp thanks so much for testing out this PR, especially against the idp you are using. I've just spun up a simple idp for my testing so having an actual one is so helpful. |
Should this be part of 1.21 milestone? Anything we can do to help support it? We're also getting a significant number of requests for SAML support. |
Don't want to step on @techknowlogick or @wfjake toes, but from my perspective, if the freeze is still targeted for 9/3 (per #25123), I don't see this being ready. I'm happy to do more testing and/or development as time permits, but my August is not forgiving and so I'll likely not be able to contribute as much as I'd like pre-1.21. I also don't know what the Gitea methodology is for incorporating features like this -- I find SAML integrations to be wildly different in complexity and what is supported. Would you want "Gitea supports SAML any which way", or "Gitea supports SAML, so long as you do it in this specific way"? I like the latter for simplicity (and this PR approaches that), but in my experience SAML tends to be used by larger institutions, who often like the ability to pull various levers. It may make sense to just try and get the simple thing over the finish line, which may bring folks who are interested in lever-pulling out of the woodwork to enhance. As far as support, I think the biggest thing I can think of that would help move this along is testing/feedback from folks using various IdPs (ideally bigger ones -- Azure, Okta, Clever, etc). Maybe from some of the many requestors :) |
I have run this PR against OKTA and the round-trip went smoothly but there's not much to test beyond that with the callback being unimplemented (unless I'm missing something?). I did have some issues with the UI while configuring it, which I can provide feedback on if we're okay devitating to minutia at this stage. For those interested in testing big players themselves, OKTA offers a free developer account with most features available. This is how I test against it. |
Thanks @garymoon! You're not missing anything -- without the callback there's not much else to test from a login perspective, it's mostly just configuration at this point. |
@techknowlogick this is increasing in priority for us - do you have any additional development on that that needs to be pushed? What are else needs to be completed to get this initial version merged? Are you open to stacked branches here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rubber stamp
@6543 there was no last call on this, and we should've given the reviewers who blocked it a chance to review again without dismissing them or at least pinging them. This is an XXL sized PR, and we shouldn't rush to merge them. I'll revert to give everyone an appropriate chance to review, and ask follow up questions. |
* giteaofficial/main: Start to migrate from `util.OptionalBool` to `optional.Option[bool]` (go-gitea#29329) Add slow SQL query warning (go-gitea#27545) Unify organizations header (go-gitea#29248) Frontport changelogs of minor releases (go-gitea#29337) Support SAML authentication (go-gitea#25165) Upgrade to fabric 6 (go-gitea#29334) Don't show third-party JS errors in production builds (go-gitea#29303) Remove bountysource (go-gitea#29330) Remove unnecessary "Str2html" modifier from templates (go-gitea#29319) Ignore the linux anchor point to avoid linux migrate failure (go-gitea#29295) Remove jQuery from the repo commit functions (go-gitea#29230) Remove unnecessary "Safe" modifier from templates (go-gitea#29318) Remove jQuery from the image pasting functionality (go-gitea#29324) Improve the `issue_comment` workflow trigger event (go-gitea#29277) Properly migrate automatic merge GitLab comments (go-gitea#27873) Refactor cmd setup and remove deadcode (go-gitea#29313) small cache when get user id on interation (go-gitea#29296) Discard unread data of `git cat-file` (go-gitea#29297) Don't install playwright twice (go-gitea#29302) # Conflicts: # templates/home.tmpl
the reviews todos where addresed and i do prevere a followup pull if issues get discovered to be addressed. But if you want to revert and redo reviewing it i'm also fine with that |
This reverts commit 5bb8d19.
This reverts #25165 (5bb8d19), as there was a chance some important reviews got missed. so after reverting this patch it will be resubmitted for reviewing again #25165 (comment) temporary Open #5512 again
Closes go-gitea#5512 This PR adds basic SAML support - Adds SAML 2.0 as an auth source - Adds SAML configuration documentation - Adds integration test: - Use bare-bones SAML IdP to test protocol flow and test account is linked successfully (only runs on Postgres by default) - Adds documentation for configuring and running SAML integration test locally Future PRs: - Support group mapping - Support auto-registration (account linking) Co-Authored-By: @jackHay22 --------- Co-authored-by: jackHay22 <jack@allspice.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Jason Song <i@wolfogre.com> Co-authored-by: morphelinho <morphelinho@users.noreply.github.com> Co-authored-by: Zettat123 <zettat123@gmail.com> Co-authored-by: Yarden Shoham <git@yardenshoham.com> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: silverwind <me@silverwind.io>
resubmitted for review: #29403 |
To all reviewers here, pleas rereview this at #29403 |
Closes #5512
This PR adds basic SAML support
Future PRs:
Co-Authored-By: @jackHay22