SSO Support #1492
SSO Support #1492
Conversation
|
Lost in how to dynamically show/hide elements on login page, I've implemented one endpoint returning the available login methods, but not familiar enough with the frontend framework to know how to use that to hide/show the elements. Was thinking a request should fire on page load, and depending on the result do the necessary edits to the interface. Inputs are welcome |
|
SSO login is working fully, both based on header, but most importantly OIDC is now supported, opening a very wide range of options. Missing for now:
Grateful if you have inputs on those as well as general feedback :) @Shrinks99 @ikreymer |
|
Hey! Will discuss this with the team today, thank you for contributing! If the user fields could be set to disabled for all SSO users and text added to the page "Some fields are managed by your organization." that would be great. I don't know much about SSO, would it be possible to provide users with a link to edit them in their institution's user management portal? The password section should probably be completely hidden for all SSO users as well. Would we be able to configure more than one SSO provider? I generally like how Jstor handles this with a "find your institution" system. I assume this PR only supports adding one? If SSO is configured, the SSO Log In button should be the |
Always welcome, thanks for the great software
Agree, just need to understand how to set a flag indicating the user is from SSO and propagate that to the frontend. Link to edit should also be doable.
This I think might be much more complicated, the best way to handle it, for any organization hosting browsertrix-cloud and wanting to implement SSO, would be to do federated IDP with selection of the SSO provider on the IDP instead of the SP (browsertrix). This is actually very similar to how SSO is handled by Swiss universities, with a central IDP being the single point of contact, which will redirect as needed to the various Universities IDPs depending on affiliation.
Agree, will do at the same time as dynamically showing the SSO buttons. My main issue is now understanding the best way to pull variables to easily use across the interface from the backend. |
…s creation backend
|
I've implemented last changes, everything is working now, only missing documentation. I've created the option to disable user invites (both frontend and backend); this is because if SSO is enabled and used to manage users, inviting users can create problems with users' org membership (they now depend on users groups), as well as having new users signing up with username/password instead of SSO. Users can be assigned superuser role based on group membership, and can manage orgs as needed. When SSO is enabled, it is potentially suggested to therefore activate the option to disable invites, and possibly also disabling password login altogether. All of this is optional though and can be tailored by the instance admin. Maybe a better way to handle invitations/org memberships that does not create conflicts is possible, but I couldn't figure it out, I think current solution is still very good. Possibly to improve in future. Please review and let me know what you think should be changed, especially on the frontend side, I feel like it was a lot of monkey patching to get what I needed, there is surely a cleaner way to implement all the checks I've done. |
There was a problem hiding this comment.
Reviewed docs and frontend code for lit localization. Have not tested locally.
Thanks for writing up this guide! Haven't tested it but seems pretty thourough. Have made a bunch of docs suggestions. Found two instances of un-localization-wrapped frontend text (happens to the best of us haha).
Batch accepting review suggestions, thanks @Shrinks99 Co-authored-by: Henry Wilkinson <[email protected]>
Appliying one missed one suggestion Co-authored-by: Henry Wilkinson <[email protected]>
|
@Shrinks99 committed your suggestions, thanks. |
This PR implements support for SSO (#1490)
Currently very much a WIP, following points need investigation/development:
General
OR implement setting to define default role (currently crawler)OR pull role from a group (probably more complicated and could be done at later stage)Header Based
Verify request IP matches trusted proxy (to be set in config.yml) - Might be hard given there is always an additional proxy in front (K8s NGINX ingress).Better to specify in doc to restrict direct access to K8s ingress only to the authenticating proxy.OIDC Based
(Easiest way to test locally: https://microsoftedge.microsoft.com/addons/detail/modheader-modify-http-h/opgbiafapkbbnbnjcdomjaghbckfkglc)