gitea-mirror/blog
1
0
Fork 0
mirror of https://gitea.com/gitea/blog.git synced 2024-06-02 02:31:24 +05:30
Code Issues Packages Projects Releases Wiki Activity

Add 'content/post/feature-preview-mapping-oidc-groups-to-teams.md'

Browse source
This commit is contained in:
techknowlogick 2023-03-10 05:33:02 +08:00
parent 360cfeed5e
commit d69825f762
1 changed files with 72 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
content/post/feature-preview-mapping-oidc-groups-to-teams.md Normal file
View file

@ -0,0 +1,72 @@
---
date: "2023-03-09T01:00:00+01:00"
author: "13tm3nt3r"
title: "Feature Preview: Mapping OIDC Groups to Teams"
draft: false
---
Why: Start by explaining why someone would want to set up Gitea to use Azure Active Directory for authentication. You could explain the benefits, such as improved security and easier management of user accounts.
<!-- more -->
<!-- instructions sourced originally from: https://github.com/go-gitea/gitea/pull/21441#issuecomment-1429706883 -->
What: In this section, describe what exactly needs to be done to set up Gitea to use Azure Active Directory for authentication. This would include steps like creating an Azure Active Directory app, configuring Gitea to use that app, and testing the configuration.
How: This section would provide a more detailed explanation of the steps outlined in the previous section. This might include screenshots, code snippets, or other resources to help readers follow along.
What if: Finally, this section would address any potential issues or challenges that readers might encounter while setting up Gitea to use Azure Active Directory for authentication. You could provide troubleshooting tips, resources for further help, or suggestions for alternative solutions.
Below I'll explain all the required steps to achieve the mapping of Azure user groups to different teams in Gitea, without having on-premise AD, just in case there is someone that wants to do this like us.
AZURE CONFIGURATION
Create an application in App Registrations. The Redirect URI is not needed to be configured at this point.
TODO: intsert 1.png
As you can see, there is one Enterprise Application that has been created linked to this App Registration.
TODO: insert 2.png
In the registered app, in the Authentication section, enable public client flows:
TODO: insert 3.png
In the registered app, in the Certificates & secrets section, create a new secret and SAVE the Secret ID given, as this will disappear when you close this section.
TODO: insert 4.png
In the registered app, in the Token configuration section, click on Add groups claim and select the option that will assign only groups that are assigned to the application (this step will be completed in the step 7).
TODO: insert 5.png
In the registered app, in the API permissions section, add a delegated permission called "Group.Read.All". You will have to grant admin consent.
TODO: insert 6.png
In the Enterprise Application created, in Properties, change the Assignment requirement? option to YES. This will allow every user to sign in or register without admin permission.
TODO: insert 7.png
In the Enterprise Application created, in Users and groups section, add the group/groups that you want to map to teams in Gitea. In our case, the group is called "ce-operations".
TODO: insert 8.png
GITEA CONFIGURATION
In the site configuration, under Authentication Sources section, create a new OAuth2 one.
Give it an Authentication Name and use OpenID Connect as the OAuth2 Provider.
Take the "Application (client) ID" of the registered app from Azure and put it in the Client ID (Key) option.
Use the secret that you created previously and put it in the Client Secret option.
TODO: insert 9.png
For the "OpenID Connect Auto Discovery URL" option, go to Azure and in the registered app Overview, click on "Endpoints" and copy the OpenID Connect metadata document.
TODO: insert 10.png
In "Addition Scopes" you can add "openid email profile".
In "Claim name providing group names for this source.", type "groups".
And finally, in "Map claimed groups to Organization teams.", write the Object ID of the group that you want to map from Azure (in our case, the Object ID of the Azure group "ce-operations"), the name of the organization where you want users to be added automatically (in our case "creamteam"), and the team of the organization (in our case "Developers"). NOTE: organization and team HAVE TO BE ALREADY CREATED.
TODO: insert 11.png
Update the Authentication Source and test it with OpenID login option. Your user should be added to the organization and team specified.
TODO: insert 12.png
Hope this helps anyone that wants to use SSO with Azure and add automatically their users to an organization team 😃.
TODO: Give thanks to kn4ck3r for their work on the PR that made this possible.