Dear all,
please check issue https://github.com/gitlabhq/gitlabhq/issues/5495 . To be
more precise we (AAI@EduHr, http://www.aaiedu.hr/) have 200+ IdP (cca
650000 users) and 300+ services which actively use SSO service, so chance
that two or more user with same name have same uid parts of username is
great.
We think that follow fact of GitLab is O.K.:
* uniqueness of email address on authentication system (like is now)
* uniqueness of username on authentication system (like is now)
We think that handling outer authentication method (oauth) need to be
change.
Our proposal is as follow :
1. keep existing local authentication system like is
2. use outer authentication mechanism like additional authentication
possibility
We suggest follow implementation :
A. local authentication and system is intact
B. outer authentication
B.1. user come for first time
- select on login screen outer authentication button (or maybe select
from list one of outer authentication method)
- authenticate against outer authentication system
- system admin in GitLab configuration file define from which
attribute GitLab get email address
- GitLab chech email address, and if address is unique create new user
- new user will got username base on email on the way that @ sign is
change with dot (.) ([email protected] -> username : pero.pero.tld)
- in parallel one line in new database table is add with information
of GitLab username, SSO username, SSO type (prime key is combination of
that 3 parameters)
- all other system in GitLab may now accure
B.2. user try to login in to GitLab
- select on login screen outer authentication button (or maybe select
from list one of outer authentication method)
- authenticate against outer authentication system
- system admin in GitLab configuration file define from which
attribute GitLab get email address
- GitLab check if email exist
- if not exist that is new user do B.1.
- if exist find GitLab username
- check in database table if exist entry for GitLab username, SSO
username, SSO type, if so user is authorized if not give user warning
message
- all other system in GitLab may now accure
I hope, i explain basic scenario for outer authentication model we suggest.
Unfortunately we dont have enough program knowledge to do that changes like
patch to GitLab source code, but we will help with all of our knowledge.
Regards,
Dubravko Penezic
--
You received this message because you are subscribed to the Google Groups
"GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
