Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SAML/SSO #863

Draft
wants to merge 14 commits into
base: master
Choose a base branch
from
Draft

Add SAML/SSO #863

wants to merge 14 commits into from

Conversation

ezekg
Copy link
Member

@ezekg ezekg commented Jul 15, 2024
edited
Loading

Closes #409. Implements SAML/SSO using WorkOS. Implements JIT-provisioning for new users.

This includes support for the following:

  • Google OAuth
  • GitHub OAuth
  • Microsoft OAuth
  • Apple OAuth
  • SAML

Each WorkOS connection costs us $125/mo, so this will be for Ent tiers only. Others can look into e.g. https://aglide.com.

Manual account setup right now, i.e. adding sso_organization_id, etc.:

account.update(
  sso_organization_domains: %w[example.com],
  sso_organization_id: 'org_123',
)

Prereqs

  • Write integration/unit tests for SSO.
  • Write tests for session-based authentication.
  • Third-party security review.

Subreqs

  • Update Keygen EE marketing pages to mention SSO.
  • Add docs on new SSO-related error codes.
  • Add docs on configuring SSO/SAML.
  • Cut a new self-hosted release?
  • Send Stdout 9.

@ezekg ezekg force-pushed the feature/sso branch 2 times, most recently from 1e7c55e to ad50d3c Compare July 15, 2024 21:49
@ezekg ezekg force-pushed the feature/sso branch 2 times, most recently from 5ee0cbb to 2994136 Compare July 16, 2024 00:54
ezekg
ezekg commented Jul 16, 2024
View reviewed changes
app/models/user.rb Outdated Show resolved Hide resolved
@ezekg ezekg force-pushed the feature/sso branch 9 times, most recently from b6c4bbf to a3fcabe Compare July 19, 2024 03:19
ezekg
ezekg commented Jul 20, 2024
View reviewed changes
config/application.rb
@@ -34,6 +34,17 @@ class Application < Rails::Application
# Skip views, helpers and assets when generating a new resource.
config.api_only = true

# Use cookies for sessions
config.session_store :cookie_store, key: '_keygen_session',
Copy link
Member Author

@ezekg ezekg Jul 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use a Session model instead? It'd give us support for multiple sessions, plus auditability and revocability.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could start with a UserSession model.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ref rails/rails#52328.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should do the session stuff in a separate PR?

@ezekg ezekg mentioned this pull request Sep 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add SAML/SSO
1 participant
@ezekg