Hi Dubravko, This is a lot of work. We'll probably only make something this complex for a paying subscriber if at all. Before this we would first do multiple LDAP domains which is a popular request.
Sorry, Sytse On Fri, Jan 31, 2014 at 12:33 PM, Dubravko Penezic <[email protected]> wrote: > Dear all, > > please check issue https://github.com/gitlabhq/gitlabhq/issues/5495 . To be > more precise we (AAI@EduHr, http://www.aaiedu.hr/) have 200+ IdP (cca 650000 > users) and 300+ services which actively use SSO service, so chance that two > or more user with same name have same uid parts of username is great. > > We think that follow fact of GitLab is O.K.: > * uniqueness of email address on authentication system (like is now) > * uniqueness of username on authentication system (like is now) > > We think that handling outer authentication method (oauth) need to be > change. > > Our proposal is as follow : > 1. keep existing local authentication system like is > 2. use outer authentication mechanism like additional authentication > possibility > > We suggest follow implementation : > A. local authentication and system is intact > B. outer authentication > B.1. user come for first time > - select on login screen outer authentication button (or maybe select > from list one of outer authentication method) > - authenticate against outer authentication system > - system admin in GitLab configuration file define from which > attribute GitLab get email address > - GitLab chech email address, and if address is unique create new user > - new user will got username base on email on the way that @ sign is > change with dot (.) ([email protected] -> username : pero.pero.tld) > - in parallel one line in new database table is add with information > of GitLab username, SSO username, SSO type (prime key is combination of that > 3 parameters) > - all other system in GitLab may now accure > > B.2. user try to login in to GitLab > - select on login screen outer authentication button (or maybe select > from list one of outer authentication method) > - authenticate against outer authentication system > - system admin in GitLab configuration file define from which > attribute GitLab get email address > - GitLab check if email exist > - if not exist that is new user do B.1. > - if exist find GitLab username > - check in database table if exist entry for GitLab username, SSO > username, SSO type, if so user is authorized if not give user warning > message > - all other system in GitLab may now accure > > I hope, i explain basic scenario for outer authentication model we suggest. > > Unfortunately we dont have enough program knowledge to do that changes like > patch to GitLab source code, but we will help with all of our knowledge. > > Regards, > Dubravko Penezic > > -- > You received this message because you are subscribed to the Google Groups > "GitLab" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
