horilla-opensource
SAML Authentication
Feature Request
Description
SAML authentication capability, so that tools like Microsoft Entra can be leveraged to streamline user login and security
Use Case
Company members are required to perform MFA periodically, and their access to apps are also controlled via MS Entra. SAML would ensure that only authorized members can access sensitive data such as employee info etc.
Luckily there are more SAML-based identity providers than MS. :) Okta, Keycloak, Auth0, Google, OneLogin, etc.
I found that for Django there are several plugins available. https://www.google.com/search?q=Django+saml
What I saw in other HR-software, is that only manually created users are allowed to use SSO. But that makes is easier to implement than when user-creation is to be implemented. The unhappy flows (user in Horilla, but not in Id-provider - or the other way around) need some attention here, of course.
I don't know Django, but I can help with explanation about SAML, and later help with documentation.
Hi @VincentSC @justatechie Thanks for the suggestions. We are focusing on bringing these authentication methods in the next version of Horilla which is currently underway now.
With Regards, Team Horilla
How's it going? Need any help?
I don't see any code mentioning SAML, so I assume you work on internal build.
Hi @VincentSC,
Thank you for your patience and continued interest in Horilla.
We’ve been working on some significant enhancement features, and while the SAML authentication implementation is still in progress, we’re happy to share that we’ve completed work on the LDAP/Active Directory integration.
Currently, our team is actively conducting research and development on the SAML section. We’re committed to delivering this feature and hope to provide you with an update on its status soon.
We truly appreciate your understanding and support.
Best regards,
Team Horilla
As LDAP is old tech that was designed in an era with a very different mindset (and phone lines), I found it to be very difficult to make secure or handle in a modern way (e.g. docker without several ports open), and therefore have chosen not to adopt it.
I am still here to help out with testing.
@horilla-opensource Adding support for the following authentication protocols would greatly enhance the platform's flexibility, compatibility, and usability across different environments:
- SAML (Security Assertion Markup Language):
A widely used standard for Single Sign-On (SSO), SAML enables secure exchange of authentication and authorization information between identity providers and service providers. It simplifies user login processes and reduces the need to manage credentials directly on the platform.
- SCIM (System for Cross-domain Identity Management):
SCIM provides a standardized way to manage user identities, including account creation, updates, and deletion. This is especially useful for ensuring seamless synchronization with enterprise user directories.
- LDAP (Lightweight Directory Access Protocol):
LDAP is a well-established protocol for accessing and managing distributed directory services. It is commonly used for centralized authentication and authorization, particularly in legacy systems and enterprise environments.
- OpenID Connect:
OpenID Connect is an extension of OAuth 2.0 that supports authentication and identity verification. It is lightweight and developer-friendly, making it an ideal choice for secure user login in modern web applications and APIs.
Implementing these protocols would make the platform more adaptable to enterprise requirements and increase its appeal to developers and administrators.
@horilla-opensource - is there any update on the implementation of SAML? Thank you for your hard work on all our requests!
Hi,
We've recently updated the source code and introduced a separate app for LDAP integration in Horilla. Please pull the latest code and follow these steps:
-
Add
"horilla_ldap",before"django.contrib.admin,"to theINSTALLED_APPSsection inhorilla > settings.py. -
Run the following commands:
python manage.py makemigrations python manage.py migrate -
Now, you can configure LDAP settings (BIND_DN, BASE_DN, SERVER, and PASSWORD) from Settings → General Settings → LDAP Configuration in the web interface.
-
Once the connection is successfully established, you can import employees from the LDAP database using:
python manage.py import_ldap_usersSimilarly, to transfer users from Horilla to LDAP, use:
python manage.py import_users_to_ldap
This should resolve the issue and make the LDAP setup more manageable via the web interface. Let us know if you face any further issues!
Best Regards,
Team Horilla
@horilla-opensource - thanks for the update, but this request was for SAML authentication, not LDAP. Any update on the implementation of SAML auth?
Hi @horilla-opensource , are there any upcoming updates regarding SAML and SCIM integration? Implementing these would likely eliminate the need for LDAP. SCIM can handle user onboarding and off-boarding , while SAML would take care of authentication and login.
+1 for SCIM & SAML as it would be much more efficient to be able to provision users through SCIM & SAML
Hi @FireBall1725 ,
Thank you all for your continued interest and input regarding SAML and SCIM integration in Horilla.
We’d like to confirm that SAML authentication is absolutely on our roadmap, and we fully understand its importance for enterprise-grade access control, particularly with platforms like Microsoft Entra, Okta, Keycloak, and others.
Currently, our focus is on completing and stabilizing features planned for Horilla Version 2. Once that release is finalized, we will prioritize SAML and SCIM implementation. We’re also actively open to contributions from the community to help accelerate this work, especially from those experienced with Django SAML integrations.
We truly appreciate the enthusiasm and support from everyone in this thread and will keep you updated as progress unfolds.
Best Regards, Team Horilla,
Hi Horilla team, thanks for the great project. I’ve deployed Horilla in our VPC and we’re waiting on SAML to use Google Workspace for SSO.
When SAML is released, will Horilla support just‑in‑time (JIT) user provisioning (i.e., create a user on first SSO), or will users need to be pre‑provisioned in Horilla? If JIT is planned, which attributes will be mappable (email, first/last name, groups) and will accounts be linked by email to avoid duplicates?
If JIT isn’t in the first release, is SCIM provisioning planned alongside or shortly after?
@horilla-opensource I have the same question as @mfamularopsyc and i look forward to version 2.0. Thank you for all your hard work on this project.
Hi Horilla team, thanks for the great project. I’ve deployed Horilla in our VPC and we’re waiting on SAML to use Google Workspace for SSO.
When SAML is released, will Horilla support just‑in‑time (JIT) user provisioning (i.e., create a user on first SSO), or will users need to be pre‑provisioned in Horilla? If JIT is planned, which attributes will be mappable (email, first/last name, groups) and will accounts be linked by email to avoid duplicates?
If JIT isn’t in the first release, is SCIM provisioning planned alongside or shortly after?
Hi @mfamularopsyc , @QuantumFlux21 ,
Thank you for sharing your use case and for deploying Horilla.
For the first release of SAML, our focus will be on secure Single Sign-On (SSO) with pre-provisioned users. Just-in-time (JIT) user provisioning is on our roadmap, but it may follow shortly after the initial release. When implemented, JIT will allow attributes such as email, first/last name, and group/role assignments to be mapped, with user accounts linked by email to avoid duplicates.
We’ll keep you and the community updated as we move from SSO-only towards full JIT and SCIM integration.
Best regards, Team Horilla