Add SAML/SSO #863

ezekg · 2024-07-15T21:47:58Z

Closes #409. Implements SAML/SSO using WorkOS. Implements JIT-provisioning for new users.

This includes support for the following:

Google OAuth
GitHub OAuth
Microsoft OAuth
Apple OAuth
SAML

Each WorkOS connection costs us $125/mo, so this will be for Ent tiers only. Others can look into e.g. https://aglide.com.

Manual account setup right now, i.e. adding sso_organization_id, etc.:

account.update(
  sso_organization_domains: %w[example.com],
  sso_organization_id: 'org_123',
)

Prereqs

Write integration/unit tests for SSO.
Write tests for session-based authentication.
Third-party security review.

Subreqs

Update Keygen EE marketing pages to mention SSO.
Add docs on new SSO-related error codes.
Add docs on configuring SSO/SAML.
Cut a new self-hosted release?
Send Stdout 9.

app/controllers/concerns/authentication.rb

app/models/user.rb

app/controllers/auth/sso_controller.rb

app/controllers/concerns/authentication.rb

ezekg · 2024-07-20T01:44:24Z

config/application.rb

@@ -34,6 +34,17 @@ class Application < Rails::Application
    # Skip views, helpers and assets when generating a new resource.
    config.api_only = true

+    # Use cookies for sessions
+    config.session_store :cookie_store, key: '_keygen_session',


Should we use a Session model instead? It'd give us support for multiple sessions, plus auditability and revocability.

We could start with a UserSession model.

Ref rails/rails#52328.

Maybe we should do the session stuff in a separate PR?

ezekg · 2024-10-18T04:16:06Z

app/controllers/auth/sso_controller.rb

+module Auth
+  class SsoController < Api::V1::BaseController
+    include ActionController::Cookies
+


This controller should assert the SSO entitlement, i.e. it should only be available in Keygen EE.

ezekg · 2024-10-18T04:17:19Z

app/models/account.rb

@@ -289,6 +289,16 @@ def protected?
    protected
  end

+  def sso? = sso_organization_id?


Should we also check ent?, or should we let this be open in case we sell an SSO add-on for Std tiers too?

ezekg · 2024-11-08T02:53:46Z

lib/keygen/sso.rb

+# frozen_string_literal: true
+
+module Keygen
+  module SSO


Move to EE namespace.

ezekg force-pushed the feature/sso branch 2 times, most recently from 1e7c55e to ad50d3c Compare July 15, 2024 21:49

ezekg commented Jul 15, 2024

View reviewed changes

app/controllers/concerns/authentication.rb Show resolved Hide resolved

ezekg force-pushed the feature/sso branch 2 times, most recently from 5ee0cbb to 2994136 Compare July 16, 2024 00:54