Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSO using OpenID Connect #3899

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
+7,595 −225
Open

SSO using OpenID Connect #3899

Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
671f7a1
Add SSO functionality using OpenID Connect
tribut Aug 30, 2023
fefa55c
Improvements and error handling
Timshel Sep 12, 2024
524d65e
Stop rolling device token
Timshel Apr 15, 2024
927968d
Add playwright tests
Timshel Sep 25, 2024
d6af686
Activate PKCE by default
Timshel Oct 7, 2024
fb5b568
Ensure result order when searching for sso_user
Timshel Oct 7, 2024
8dfaee6
add SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
Timshel Oct 7, 2024
a9cc0e5
Toggle SSO button in scss
Timshel Nov 18, 2024
a85bdb2
Base64 encode state before sending it to providers
Timshel Nov 28, 2024
3617be0
Prevent disabled User from SSO login
Timshel Nov 28, 2024
b9e257b
Review fixes
Timshel Dec 30, 2024
0e8a462
Remove unused UserOrganization.invited_by_email
Timshel Jan 2, 2025
bee619f
Split SsoUser::find_by_identifier_or_email
Timshel Jan 2, 2025
44045a8
api::Accounts::verify_password add the policy even if it's ignored
Timshel Jan 3, 2025
ce5368f
Disable signups if SSO_ONLY is activated
Timshel Jan 3, 2025
a5ce1c3
Add verifiedDate to organizations::get_org_domain_sso_details
Timshel Jan 7, 2025
f353933
Review fixes
Timshel Jan 10, 2025
6129214
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 10, 2025
2f4d2da
Remove OrganizationId guard from get_master_password_policy
Timshel Jan 10, 2025
16c230e
Add wrapper type OIDCCode OIDCState OIDCIdentifier
Timshel Jan 10, 2025
795328b
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 13, 2025
3ec4b0c
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 15, 2025
da8be29
Membership::confirm_user_invitations fix and tests
Timshel Jan 16, 2025
6f9b88e
Allow set-password only if account is unitialized
Timshel Jan 16, 2025
0b556b2
Review fixes
Timshel Jan 16, 2025
ae1c17a
Prevent accepting another user invitation
Timshel Jan 17, 2025
6ee5580
Merge remote-tracking branch 'dani/main' into sso-support
Timshel Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .env.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,10 @@
## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
## Defaults to every minute. Set blank to disable this job.
# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
#
## Cron schedule of the job that cleans sso nonce from incomplete flow
## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
# PURGE_INCOMPLETE_SSO_NONCE="0 20 0 * * *"

########################
### General settings ###
Expand Down Expand Up @@ -444,6 +448,42 @@
## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false

#####################################
### SSO settings (OpenID Connect) ###
#####################################

## Controls whether users can login using an OpenID Connect identity provider
# SSO_ENABLED=false
## Prevent users from logging in directly without going through SSO
# SSO_ONLY=false
## On SSO Signup if a user with a matching email already exists make the association
# SSO_SIGNUPS_MATCH_EMAIL=true
## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
# SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
## Base URL of the OIDC server (auto-discovery is used)
## - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
## - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
# SSO_AUTHORITY=https://auth.example.com
## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit).
#SSO_SCOPES="email profile"
## Additionnal authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
## Activate PKCE for the Auth Code flow.
# SSO_PKCE=true
## Regex to add additionnal trusted audience to Id Token (by default only the client_id is trusted).
# SSO_AUDIENCE_TRUSTED='^$'
## Set your Client ID and Client Key
# SSO_CLIENT_ID=11111
# SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
# SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
## Use sso only for authentication not the session lifecycle
# SSO_AUTH_ONLY_NOT_SESSION=false
## Client cache for discovery endpoint. Duration in seconds (0 to disable).
# SSO_CLIENT_CACHE_EXPIRATION=0
## Log all the tokens, LOG_LEVEL=debug is required
# SSO_DEBUG_TOKENS=false

########################
### MFA/2FA settings ###
########################
Expand Down
Loading