Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SAML/SSO #409

Open
ezekg opened this issue May 4, 2021 · 10 comments · May be fixed by #863
Open

Add SAML/SSO #409

ezekg opened this issue May 4, 2021 · 10 comments · May be fixed by #863
Labels
ent: feature Enterprise features

Comments

@ezekg
Copy link
Member

ezekg commented May 4, 2021
edited
Loading

Let's use WorkOS for this. Seems pretty simple to integrate. Pricing also looks good.

Endpoints

Redirect

Use the normal create token endpoint. Add an SSO_REQUIRED error code when the current account or user requires SSO.

POST /v1/tokens
401 Unauthorized
Location: <authorization_url>
{
  "errors": [
    {
      "title": "Unauthorized",
      "detail": "single sign on is required",
      "code": "SSO_REQUIRED"
    }
  ],
  "links": {
    "redirect": "<authorization_url>"
  }
}

The client i.e. Portal MUST manually redirect to the WorkOS authorization URL.

Docs: https://workos.com/docs/reference/sso/get-authorization-url

Callback

The callback is contains a code query param that can be exchanged for a user profile. After retrieving the user, we MAY need to create the user, and then we MUST generate a token for the authenticated user.

We can optionally use the state query param to store additional state, such as account or redirect URL.

After the user has been authenticated, we redirect to Portal.

GET /v1/workos?code=<code>&state=<account>
301 Temporary Redirect
Location: https://portal.keygen.sh/<account>

I'm thinking we should generate an SSO-specific token that can only be used via Portal e.g. using a strict/secure cookie. But using cookies creates other problems, such as accounts using a self-hosted Portal not being able to use SSO. (We COULD keep the Referrer in the state parameter of the authorization URL, but that introduces an open redirect attack vector...) If this becomes a problem, we can manually set a sso_redirect_url column for accounts using SSO.

Docs: https://workos.com/docs/reference/sso/get-authorization-url/redirect-uri
@ezekg
Copy link
Member Author

ezekg commented Dec 11, 2021

35BB42BB-98BC-4B58-8D4B-976AC87494F2

@ezekg ezekg changed the title Add SSO for larger tiers Add SAML SSO for larger tiers Dec 19, 2021
@ezekg
Copy link
Member Author

ezekg commented Dec 19, 2021
edited
Loading

image

image

https://www.sanity.io/docs/sso-saml

@ezekg ezekg mentioned this issue Sep 22, 2022
Open
9 tasks
@ezekg
Copy link
Member Author

ezekg commented Sep 23, 2022

See also: plausible/analytics#383

@ezekg
Copy link
Member Author

ezekg commented Sep 23, 2022

https://ossoapp.com/blog/saml-sso-rails/

@ezekg
Copy link
Member Author

ezekg commented Sep 23, 2022

https://workos.com/docs/sso/2-add-sso-to-your-app

@ezekg ezekg added ent: feature Enterprise features and removed future: proposal labels Sep 26, 2022
@ezekg ezekg mentioned this issue Sep 30, 2022
Open
@ezekg ezekg changed the title Add SAML SSO for larger tiers Add SAML/SSO May 7, 2023
@ezekg ezekg pinned this issue May 7, 2023
@ezekg ezekg unpinned this issue May 7, 2023
@ezekg
Copy link
Member Author

ezekg commented Aug 1, 2023

https://pagertree.com/blog/multi-tenant-sso-using-devise

@clementperon
Copy link

@ezekg any news on this feature?

@ezekg
Copy link
Member Author

ezekg commented Jun 17, 2024

@clementperon it is on the roadmap (part of #661), but we haven't started work on it yet outside of a POC.

Does your team need this feature?

@clementperon
Copy link

@ezekg, I try to reduce the usage of account in my company, but we don't have an Enterprise license.

@ezekg ezekg linked a pull request Jul 15, 2024 that will close this issue
Draft
8 tasks
@ezekg
Copy link
Member Author

ezekg commented Jul 31, 2024

WorkOS alternative I saw on HN: https://ssoready.com

@ezekg ezekg mentioned this issue Sep 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ent: feature Enterprise features
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add SAML/SSO keygen-sh/keygen-api
2 participants
@clementperon @ezekg