blog/content/post/feature-preview-mapping-oidc-groups-to-teams.md
HesterG dab0be78b2 docusaurus blog (#266)
# Notes

- date must not have double quotes, e.g., should be like `date: 2022-10-30T18:25:00+09:15`

- Updated header.

  ![Screen Shot 2023-07-11 at 17.27.49](/attachments/d14b0c62-3630-47a9-bcda-25c6459d4e8b)

- Used customized blog plugin to get all tags with reference to [plugins/blog/index.js](https://github.com/questdb/questdb.io/blob/master/plugins/blog/index.js). Filter by tag section, tag list page.

  ![Screen Shot 2023-07-11 at 18.10.28](/attachments/59561940-a2f7-4ab5-b99a-1d5b84fdbcad)

  ![Screen Shot 2023-07-11 at 17.31.20](/attachments/d6d82976-12c0-4c0f-acfe-218e30c7c627)

- Added coverImage to frontmatter to assgin cover image, e.g., `coverImage: "/img/blog-covers/test.jpeg"`
  And on blog page, cover image will appear on top if `coverImage` added to frontmatter, e.g.,

   ![Screen Shot 2023-07-11 at 17.33.09](/attachments/c27e7971-11db-4241-bc53-9e43df235fbc)

  ![Screen Shot 2023-07-11 at 17.33.20](/attachments/552dd9cf-fc55-4547-8014-864aeb0e5050)

- authors are managed by the `authors.yml` file. [reference](https://docusaurus.io/docs/blog#global-authors)
- [ejected](https://docusaurus.io/docs/swizzling#ejecting) `@docusaurus/theme-classic BlogListPage` and `@docusaurus/theme-classic BlogPostPage`, which are marked as `unsafe` by docusaurus, so need to maintain these components. ([original BlogListPage](https://github.com/facebook/docusaurus/blob/main/packages/docusaurus-theme-classic/src/theme/BlogListPage/index.tsx), [original BlogPostPage](https://github.com/facebook/docusaurus/blob/main/packages/docusaurus-theme-classic/src/theme/BlogPostPage/index.tsx))
- [referenced repo](https://github.com/questdb/questdb.io)

# How to test

```
npm i
npm run start
```

# Build and serve

```
npm run build
npm run serve
```

# Help Needed

Deploy and preview steps

# More Screenshots

![Screen Shot 2023-07-11 at 17.34.54](/attachments/ee9d46ac-72ac-49de-90df-38e2afc6db02)

Mobile:

![Screen Shot 2023-07-11 at 18.16.54](/attachments/8f1471a3-27cc-459a-a2ce-c0e5bdf604d3)

![Screen Shot 2023-07-10 at 17.53.18](/attachments/992d9f24-e130-41a9-8b55-86744539524c)

![Screen Shot 2023-07-06 at 11.02.21](/attachments/af1632b8-6a61-47f7-b15d-4a6080bebadb)

![Screen Shot 2023-07-11 at 18.17.43](/attachments/af0df617-27a4-46f9-a8a3-037be268e1cd)

![Screen Shot 2023-07-03 at 15.32.45](/attachments/ad2c1217-e82d-434c-81c8-5d4058e18591)

# TODO

- [x] Add Banner to blog page

Reviewed-on: gitea/blog#266
Co-authored-by: HesterG <hestergong@gmail.com>
Co-committed-by: HesterG <hestergong@gmail.com>
2023-07-12 03:25:19 +00:00

4.8 KiB

date authors title tags draft
2023-03-20T13:00:00+01:00 13tm3nt3r Feature Preview: Mapping OIDC Groups to Teams
feature
tutorial
false

The upcoming release of Gitea 1.19 adds the ability to map OIDC groups to organization teams. Gitea is often used in combination with the Azure Active Directory for authentication. Now, with OIDC group mapping you can map a user's Active Directory groups to Gitea organization teams. This allows for a more centralized user access management for repositories and organizations.

To use this feature, you'll need to create an Azure Active Directory app, configure Gitea to use that app, and then map Azure Active Directory groups to Gitea teams. This post will walk you through the steps to get this working.

Below I'll explain all the required steps to achieve the mapping of Azure user groups to different teams in Gitea, without having on-premise AD.

Azure configuration

Create an application in App Registrations. You don't need the Redirect URI at this point.

Azure screenshot showing how to register an app allowing accounts in organization only

As you can see, there is one Enterprise Application that has been created linked to this App Registration.

Azure screenshot showing the newly created app registration

In the registered app, in the Authentication section, enable public client flows:

Azure screenshot showing what it is like to enable public client flows

In the registered app, in the Certificates & secrets section, create a new secret and SAVE the Secret ID given, as this will disappear when you close this section.

Azure screenshot showing how to copy secrets

In the registered app, in the Token configuration section, click on Add groups claim and select the option that will assign only groups that are assigned to the application (this step will be completed in the step 7).

Azure screenshot showing group claims

In the registered app, in the API permissions section, add a delegated permission called Group.Read.All. You will have to grant admin consent.

Azure screenshot adding a new delegated permission

In the Enterprise Application created, in Properties, change the Assignment requirement? option to YES. This will allow every user to sign in or register without admin permission.

Azure screenshot enabling assignment requirement

In the Enterprise Application created, in Users and groups section, add the group/groups that you want to map to teams in Gitea. In our case, the group is called ce-operations.

Azure screenshot showing adding/removing groups to use for mapping

Gitea configuration

In the site configuration, under Authentication Sources section, create a new OAuth2 authentication source. Give it an Authentication Name and use OpenID Connect as the OAuth2 Provider. Take the Application (client) ID of the registered app from Azure and put it in the Client ID (Key) option. Use the secret that you created previously and put it in the Client Secret option. Gitea screenshot of adding a new Auth Source

For the OpenID Connect Auto Discovery URL option, go to Azure and in the registered app Overview, click on Endpoints and copy the OpenID Connect metadata document. Azure screenshot showing the metadata document of the endpoints

In Additional Scopes you can add openid email profile.

In Claim name providing group names for this source., type groups.

And finally, in Map claimed groups to Organization teams., write the Object ID of the group that you want to map from Azure (in our case, the Object ID of the Azure group ce-operations), the name of the organization where you want users to be added automatically (in our case creamteam), and the team of the organization (in our case Developers). Note: the organization and team need to be already created. Azure screenshot copying OIDC Auto discovery URL

Update the Authentication Source and test it with OpenID login option. Your user should now be a member of the organization and team.

Gitea screenshot copying in the OIDC Auto discovery URL and adding in the mapping

Finally, a big thank you to KN4CK3R for his work on the PR that made this possible.

Hope this helps anyone that wants to use SSO with Azure and add automatically their users to an organization team 😃. If you do use this, and find any issues, please feel free to open up an issue on the Gitea issue tracker.