feat: SSO SAML support

[1ARdotNO]

Feature Request

Describe the Feature Request
Implement support for SSO like the official controller can do using SAML

Describe Preferred Solution

If the api's in the app is documented somewhere, give me a hint and I can also start looking

Describe Alternatives

Related Code

Additional Context

If the feature request is approved, would you be willing to submit a PR?
Can help

[PovilasID]

Or OIDC for keycloak

[Elf36]

How is this going - we use Keycloak a lot and integration with that would be essential before roll out -

[Elf36]

possibly I can help -

[PovilasID]

possibly I can help -

Would be great if you took this on.
For now I used a flag that disables all auth outright but put a Keycloak middlewear using my reverse proxy (traefik). However, this has one major disadvantage. Every user I grant access to can manage all the networks.

[Elf36]

Yes I thought of that reverse proxy great ! access to everything not great :-/

I was thinking to control access via nodes - when say a user logs onto a network with the client -

Possibly I’m barking up the wrong tree but I thought it may be possible - I can possibly hire some people to implement it but I don’t want to commit unless you think it’s worth doing.

[PovilasID]

Well is it 'worth' depends on your situations. I think there are 3 ways to control access via Keycloak:

1. Per user. Just implement already existing users system, so in that case user who created the network would have access to it. Not sure about sharing.
2. Per role. This would require adding roles to user system because I am not sure they exist.
3. Network/role. You can create client role in Keycloak and if the name matches network and you grant to two users both have access.
   Last two require some investigation how current permissions work in this but my guess is there is no network sharing between users.

[Elf36]

which of the above three would require keycloak to authenticate a desktop say logging into a network ?

[Elf36]

This is the kind of thing I'm thinking of with 2fa
https://www.youtube.com/watch?v=7lQlmLD9KW4
looks quite possible
what do you think ?

[PovilasID]

1. I am not a maintainer of this repo (and do not aspire to become one). So what I think matter little.
2. You seam to be mixing up ZeroTier management plain and ZeroTier user plain. This repo UI for management plain not user one. Not a single user will see this.

[Elf36]

No I'm not confusing it - I agree I am slightly more interested in authenticating remote users with 2fa however I would also be interested in multiuser controller it seems useful - I note that the my.zerotier.com controller has SSO integration which means it is possible - however that is in their paid for product and wonder if the code is already in the open source repository but unused ? I was thinking if it was in the code it could be used - however the example I posted above is the working basis for authenticating users with 2fa if not the controller which as you say is a different thing - I did think that a reverse proxy as you use and separate docker containers for each controller would be an acceptable solution for different end organisations but does not solve different users for a single organisation