Support SAML 2.0 as Login-Source (Service Provider)

[frostieDE]

It would be nice to be able to configure Gitea as a SAML service provider in order to integrate Gitea with a corporate Single-Sign-On mechanism.

[techknowlogick]

@frostieDE which IDP are you using (so that it can be tested against)?

[nigeltiany]

gSuite/Google Admin is a good test

[frostieDE]

We are using an own implementation of a SAML IdP, you may use https://github.com/capriza/samling or https://simplesamlphp.org/ for testing (but I hope there is a library for SAML stuff) :-)

[jtl999]

@frostieDE Very interesting with regards to your IdP implementation. I too think this would be a great feature for Gitea.

[frostieDE]

This library looks promising: https://github.com/crewjam/saml

Unfortunately, I do not have any experience with Go programming 😄

[d-Pixie]

I was also looking for a good way to extend our G Suite identities into Gitea. Any thoughts on this internally @techknowlogick ?

[lpar]

I have experience integrating Go web applications with IBM's SAML infrastructure. I've successfully used https://github.com/russellhaering/gosaml2 for the task.

[techknowlogick]

@d-Pixie you could use OpenID Connect (Oauth2) for GSuite for now.

I second @lpar's suggestion of https://github.com/russellhaering/gosaml2 as having used it and crewjam's, I prefer ressell's.

[chb0github]

Is SAML supported? I'm confused.

[fuero]

As SAML based authentication has lots of login flow scenarios with libraries in different languages supporting them often poorly, I'd suggest leaving the heavy SAML2 lifting to a proxy/preauthentication scenario.
Examples given are for the Shibboleth SAML2 reference SP implementation.

How it would work:

• Set up a webserver in front of gitea with lazy saml2 session initialization
• Introduce config settings in gitea to map HTTP Headers to user id and roles/groups, similar to the attribute mapping done for LDAP. (e.g. REMOTE_USER, uid, entitlement, X-Forwarded-*, etc.)
• Make header name and header value to group mapping configurable (e.g.: entitlement = https://gitea.example.com/role/([^/]+) -> $1, mapping https://gitea.example.com/role/admin to the admin group)
• Redirect the user on login to a configurable "magic url" (e.g. /Shibboleth.sso/Login)
• Verify a SAML session via presence of a configurable HTTP Header (e.g. Shib_Session_ID)

[Zocker1999NET]

@fuero Good idea, this would allow Gitea to "support" any authentication scheme available. To extend this approach:

• make it possible to create or reconfigure a user using this scheme (a cool feature nearly every SAML implementation I use does support, e.g. Nextcloud)
  • if a user does not exist, create it with the given configuration parameters
  • if a user does exist, update the given parameters if required
  • X-GITEA-USERNAME configures username
  • X-GITEA-FULLNAME configures display/full name
  • X-GITEA-MAIL configures mail address

[nlincke]

This is a bad idea! This would blow GITEA up alot! SAML2, or OIDC for that matter, are quite simple (you do not have to integrate everithing since gitea needs to act as a service and not as an IDP. And since oAuth is already incoperated into gitea OIDC is just a "small" addon. If you are making use of well known libaries like (https://github.com/crewjam/saml), it will be mor complicatetd to come up with a well designed user admin interface....

I am always a fan of doing the security right in the application not infront of the application.

[MohammedNoureldin]

Isn't there at the moment any workaround to get SSO in GitTea?

[Zocker1999NET]

Isn't there at the moment any workaround to get SSO in GitTea?

Gitea already supports OpenID Connect (OIDC) / OAuth2. If your identity provider does only support SAML, you can implement a middle-man service to "translate" between SAML & OIDC. Keycloak can do that, it is a little bit heavy to configure but it does its job well. There are maybe also alternatives to Keycloak which can do the same.

[MohammedNoureldin]

Isn't there at the moment any workaround to get SSO in GitTea?

Gitea already supports OpenID Connect (OIDC) / OAuth2. If your identity provider does only support SAML, you can implement a middle-man service to "translate" between SAML & OIDC. Keycloak can do that, it is a little bit heavy to configure but it does its job well. There are maybe also alternatives to Keycloak which can do the same.

Thanks! I am still a noob in SSO, SAML and OIDC. I have to educate myself a bit more in these topics.

Does it have to be KeyCloak for some reason? Or does Authentik for example also work?

[Zocker1999NET]

Thanks! I am still a noob in SSO, SAML and OIDC. I have to educate myself a bit more in these topics.

Does it have to be KeyCloak for some reason? Or does Authentik for example also work?

Following their comparison chart, Authentik seems to support this as they can provide OIDC and support federating with SAML. So it should be possible.

[timka]

Isn't there at the moment any workaround to get SSO in GitTea?

Gitea already supports OpenID Connect (OIDC) / OAuth2. If your identity provider does only support SAML, you can implement a middle-man service to "translate" between SAML & OIDC. Keycloak can do that, it is a little bit heavy to configure but it does its job well. There are maybe also alternatives to Keycloak which can do the same.

Thanks! I am still a noob in SSO, SAML and OIDC. I have to educate myself a bit more in these topics.

Does it have to be KeyCloak for some reason? Or does Authentik for example also work?

I'm using Gitea with Authentic OpenID as in their docs. It works but I still have some issues which at the first glance don't have anything to do with this auth provider. Namely Gitea doesn't set session cookie expiration time and my users keep complaining they need to do 5 click sign-in too often. Obviously this isn't quite SSO yet but this shouldn't be hard to fix.

[MohammedNoureldin]

@timka @Zocker1999NET , thank you both! Should there be any difference between using Authentik or KeyCloak for this puprose? I don't think so right?

[timka]

I haven't used KeyCloak. I've chosen Authentic simply b/c it's not Java and has more features.

…

On Tue, 25 Oct 2022 at 20:50, Mohammed Noureldin ***@***.***> wrote: @timka <https://github.com/timka> @Zocker1999NET <https://github.com/Zocker1999NET> , thank you both! Should there be any difference between using Authentik or KeyCloak? I don't think so right? — Reply to this email directly, view it on GitHub <#5512 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAU6AR2J37MSRILO5IXPVTWFAMV3ANCNFSM4GJNSWCQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Timur Izhbulatov +7 (910) 4604059

[Zocker1999NET]

@timka @Zocker1999NET , thank you both! Should there be any difference between using Authentik or KeyCloak for this puprose? I don't think so right?

Don't know much about Authentik (have only used Keycloak until now) but it seems to me that Keycloak is the "can more than you need & want" solution (highly adaptable but sometimes a mess to configure & some features require custom JavaScript code extensions) and Authentik looks more like the "Apple" solution to me (may has not all features you may dream of, but is much easier to configure). I think for your use case, Authentik should be good enough & the better choice.

[6543]

need to look at https://github.com/mattermost/gosaml2, https://github.com/russellhaering/gosaml2, https://github.com/crewjam/saml ...

[6543]

saml:Attribute Name="memberOf" is also interesting to do some mapping to org/team memberships ...

... but that's an addition to the initial support I would say :)

[bwinston-sdp]

hey @wfjake let me know if you'd like some help, i'm definitely interested in this feature as well!