Add feature-preview: Mapping-oidc-groups-to-teams #239
Labels
No Label
in progress
kind/bug
kind/deployment
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/proposal
kind/question
kind/security
kind/testing
kind/translation
kind/ui
lgtm/done
lgtm/need 1
lgtm/need 2
priority/critical
priority/low
priority/maybe
priority/medium
reviewed/duplicate
reviewed/invalid
reviewed/wontfix
status/blocked
status/needs-feedback
status/wip
No Milestone
No Assignees
6 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/blog#239
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "techknowlogick-patch-1"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Website preview: http://preview-gitea-org-blog-blog-239.s3-website.eu-central-1.amazonaws.com/2023/03/feature-preview-mapping-oidc-groups-to-teams/
I've created gitea/theme#125 so we can credit this author to their GH profile.
@ -0,0 +69,4 @@
Update the Authentication Source and test it with OpenID login option. Your user should be added to the organization and team specified.
![Gitea screenshot copying in the OIDC Auto discovery URL and adding in the mapping](/demos/oidcmapping/12.png)
Should we perhaps convert all these images to
.webp
instead?CAPS-LOCK should be converted to
**bold**
, and"text"
should be converted into normal highlighting (`text`
)@ -0,0 +5,4 @@
draft: false
---
In the upcoming 1.19 release of Gitea a new feature is being adding that allows mapping of OIDC groups to Org Teams. One popular case for Gitea is using Azure Active Directory for authentication in Gitea, and now with OIDC group mapping you can map Active Directory user's groups to Gitea organization's teams. This allows for more centralized management of user's access to repositories and organizations.
@ -0,0 +11,4 @@
<!-- instructions sourced originally from: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1429706883 -->
To get this feature working, in breif you'll need creating an Azure Active Directory app, configuring Gitea to use that app, and then map Azure Active Directory groups to Gitea teams. This post will walk you through the steps to get this working.
@ -0,0 +15,4 @@
Below I'll explain all the required steps to achieve the mapping of Azure user groups to different teams in Gitea, without having on-premise AD.
AZURE CONFIGURATION:
## Azure configuration
@ -0,0 +17,4 @@
AZURE CONFIGURATION:
Create an application in App Registrations. The Redirect URI is not needed to be configured at this point.
You don't need the `Redirect URI` at this point.
@ -0,0 +49,4 @@
![Azure screenshot showing adding/removing groups to use for mapping](/demos/oidcmapping/8.png)
GITEA CONFIGURATION:
## Gitea configuration
@ -0,0 +51,4 @@
GITEA CONFIGURATION:
In the site configuration, under Authentication Sources section, create a new OAuth2 one.
…create a new OAuth2 authentication source
@ -0,0 +58,4 @@
![Gitea screenshot of adding a new Auth Source](/demos/oidcmapping/9.png)
For the "OpenID Connect Auto Discovery URL" option, go to Azure and in the registered app Overview, click on "Endpoints" and copy the OpenID Connect metadata document.
![TODO: add desc](/demos/oidcmapping/10.png)
![Azure screenshot showing the metadata document of the endpoints]
@ -0,0 +60,4 @@
For the "OpenID Connect Auto Discovery URL" option, go to Azure and in the registered app Overview, click on "Endpoints" and copy the OpenID Connect metadata document.
![TODO: add desc](/demos/oidcmapping/10.png)
In "Addition Scopes" you can add "openid email profile".
Addition
alScopes
@ -0,0 +67,4 @@
And finally, in "Map claimed groups to Organization teams.", write the Object ID of the group that you want to map from Azure (in our case, the Object ID of the Azure group "ce-operations"), the name of the organization where you want users to be added automatically (in our case "creamteam"), and the team of the organization (in our case "Developers"). NOTE: organization and team HAVE TO BE ALREADY CREATED.
![Azure screenshot copying OIDC Auto discovery URL](/demos/oidcmapping/11.png)
Update the Authentication Source and test it with OpenID login option. Your user should be added to the organization and team specified.
Your user should be a member of the organization and team.
Thanks for feedback @delvh, I've updated :)
@ -0,0 +74,4 @@
![Gitea screenshot copying in the OIDC Auto discovery URL and adding in the mapping](/demos/oidcmapping/12.png)
Finally, a big thank you to [KN4CK3R](https://gitea.com/KN4CK3R) for their work on the PR that made this possible.
"for his work"?
This tutorial should be part of the Gitea docs.
In https://github.com/go-gitea/gitea/pull/21441#issuecomment-1419438000 I show the steps for configuring Keycloak. That should be added to the docs too.
@ -0,0 +1,79 @@
---
date: "2023-03-09T01:00:00+01:00"
author: "13tm3nt3r"
Should work now that the theme pull above was merged.
I prefer to move usage documentation out of Gitea's current documentation.
Alternatively, could we just link the blog post from our docs?
Why? What should the documentation contain then?
Hmm, apart from the open comments LGTM.
@ -0,0 +74,4 @@
![Gitea screenshot copying in the OIDC Auto discovery URL and adding in the mapping](/demos/oidcmapping/12.png)
Finally, a big thank you to [KN4CK3R](https://gitea.com/KN4CK3R) for their work on the PR that made this possible.
You are one but like ten. :)
Erm… Did we just merge the blog entry without the two requested changes?
I'm still untyped 😏
Sorry missed them.