Gitlab (self-hosted) SSO

[kakawait]

Summary

AWX offers Github & Github Enterprise authentication, however I would be able to connect with other OAuth2 system like GitLab (Gitlab.com and self-hosted instances).

You can:

1. Add Gitlab.com and self-hosted gitlab instances but further request for others systems can comes in futur
2. Maybe create a generic OAuth2 auth that can work with any OAuth2 base auth external system

[aoyawale]

I believe django uses https://github.com/python-social-auth/social-app-django for that part and it looks like they have an initial part for gitlab https://python-social-auth.readthedocs.io/en/latest/backends/gitlab.html

[AlexGluck]

I'm interested on it too.

[wenottingham]

I believe django uses https://github.com/python-social-auth/social-app-django for that part

This is correct - we'd need to work with that.

[matburt]

This would also have a UI component for the SSO link and any relevant update to the tower api config endpoint.

[jlmitch5]

if someone is interested in working on a pr for this, feel free to @ me on the UI side of things, I did the initial implementation of the third-party auth work.

[matburt]

Unfortunately we're going to be blocked on this one until we upgrade our python-social-auth core version. Good news is that we are planning on doing that with the next set of features/mass upgrades.

[rahst12]

This is really useful. We use a corporate hosted GitLab (7.14.0) that I would much prefer just to have people login to Ansible Tower with than to create individual users for each person.

[matburt]

The core social auth system was updated week before last, so if it's something you need then please submit a PR.

[rahst12]

Any traction on this one? Is there a way to increase the timeout of a logged-in session?

[rahst12]

@matburt is there a starting point you could push me toward? I'm invested in seeing something like this working, but would need a little help getting into this code base.

[wenottingham]

Genericizing it would be a reasonable amount of work.

Copy-pasta-ing the existing code for a new backend would, in theory, not be that complicated.

[matburt]

We use python social auth, and it does include a gitlab backend: https://python-social-auth-docs.readthedocs.io/en/latest/backends/gitlab.html

You'll want to look at how our SSO system is implemented:

(as a starting point)
https://github.com/ansible/awx/blob/devel/awx/sso/fields.py#L99-L103
https://github.com/ansible/awx/blob/devel/awx/sso/conf.py#L635-L699

and the social auth docs regarding what is required for the backend:
https://python-social-auth-docs.readthedocs.io/en/latest/backends/gitlab.html

It's probably not too hard, but our built-in settings system means you'll just need to be aware of where you need to make the changes. @rooftopcellist has done a good bit of work around here. You can track us down on irc and the mailing list if you have issues implementing it

We have some architectural docs for the overal auth system:
https://github.com/ansible/awx/tree/devel/docs/auth

[rahst12]

Any movement on this? +1 for still wanted.

[ffirg]

I'm closing this issue as we would not look to do anything through this mechanism. SSO as a platform feature in now under consideration for controller and would address all SSO needs.