plane
plane copied to clipboard
makeplane
[feature]: SSO/SAML and LDAP auth
Is there an existing issue for this?
- [X] I have searched the existing issues
Summary
According to https://plane.so/pricing and https://github.com/makeplane/plane/issues/1211 SSO/SAML will be present in the open-source self-hosted version of plane. Do we have any timeline on when that might be ready?
Also, does Plane support LDAP auth? Can it be easily added - is the auth engine flexible or easily to work around with?
Why should this be worked on?
Adding SSO login support enables much easier integration with existing IAM solutions present inside firms and thus adding this crucial feature will make it ready to be used by our team in my $DAYJOB
Hey there, just added a PR for SSO with OIDC which resolves Issue #413. I think I can look into SAML and/or LDAP soon.
@torbenraab Thanks, I will look into that PR to see if it helps me understand how to go about the integration. Ideally, I want to add tequila auth to Plane for my $DAYJOB usage, which has a Django auth module present at https://github.com/epfl-si/django-tequila.
I have been trying to add this to the Django app, but can't get it to work as I desired (I wanted the login page to automatically redirect to tequila for auth and use the redirect to get the user info and login).
I have started some work at https://github.com/makeplane/plane/pull/1337, and would love if someone can guide me through integrating and enabling the tequila auth properly. I think I will need to add the configs to .env and another flag to enable/disable this mode, but any help on what I am missing would be greatly appreciated.
@rush-skills Does Tequila support OIDC? Then maybe the best option is to go with my PR. I just implemented the option to do the login automatically via OIDC if the variable is set to. P.S. auto redirect is what we also needed for better user friendliness
Hey @torbenraab Thanks for the OIDC work. I have been experimenting with that to test our OIDC provider (SWITCH). I have eventually given up on tequila integration (that was halfway done) because I don't think a lot of people use it and it adds unnecessary complexity to the code base. I have now added LDAP support in https://github.com/makeplane/plane/pull/1446 which works for me now
Hi all. I'm setting up plane authorization via Keycloak using saml-sso. In PLANE I included the following options:
web/.env NEXT_PUBLIC_ENABLE_OAUTH=1 NEXT_PUBLIC_DEPLOY_URL="https://oauth.my.domain/realms/plane-sso/protocol/saml/clients/plane.my.domain"
space/.env NEXT_PUBLIC_ENABLE_OAUTH=1
Authorization on the keycloak server passes and redirects to the PLANE page, where it says that authorization failed.
Tell me where I went wrong?
@Alexander-creator333 Hey, just reworked my OpenID Connect PR and the new can be found as #3341 please try it with the new code
+1 Very want to integrate Authentik with Plane so all users will in one place
Would like to add LDAP support to this. Might be an easy one to dash out as bookstack has native LDAP integration in place using docker.
From my side SAML is preferred It's easy to granulate access at user creation step Just my things
@theparthacus Thanks for showing upstream activity on this issue.
If I may ask, as many like me will be curios, is there a rationale behind closing here?
Could maybe also be good to introduce a label not planned, which helps people navigate the issues.
@theparthacus Thanks for showing upstream activity on this issue.
If I may ask, as many like me will be curios, is there a rationale behind closing here?
Could maybe also be good to introduce a label not planned, which helps people navigate the issues.
I learned that if you pay for their software you get this feature. I can't see why they would ever implement this on their upstream build as this a big reason why companies and small teams would pull the trigger on their "Pro" build.
If that's the case that's a total shame. That would be considered an SSO tax and most companies would not go for this as this is the basic question we ask whenever we try to justify integrating software. Does it have SSO? If so, does it cost? How much does it cost? We typically don't go for SSO taxed software because that's just a detriment to security at the base of any companies security posture.
I was looking at maybe going to OpenProject, but even with a name like that they sadly suffer from the same issue.
I think it also is weird that they don't let homelabbers use these things for free, as SSO is the future.
I was looking at maybe going to OpenProject, but even with a name like that they sadly suffer from the same issue.
I think it also is weird that they don't let homelabbers use these things for free, as SSO is the future.
Yes, that is kind of sad that they can't for home lab use. I actually used to buy Atlassian products for $10 a year self-hosted and they would donate that money to a cause or something. I've already shot them a message about this because I would totally be open to something like this if I had to pay for it.
At this point, no way am I forking $790 for lifetime or $7 a user per month for software I use for fun at home.