[Epic] SAML/SSO

[mxkxf]

Summary

Allow users to be provisioned using customer SAML providers via a SSO service.

Motivation

It's great that AppSmith offers Google OAuth login however if you do not use Google to authenticate with then this adds another layer of user administration which is difficult to keep in sync at enterprise scale; as an IT admin I want to sign-in with services I already use.

It would be great if in AppSmith's configuration you could integrate with custom SAML IDP providers.

Test plan : https://docs.google.com/spreadsheets/d/1kZjf3oZKPP0ILf0c_Rw-5KvPUykCkzExBYSVYNBxZ2g/edit?usp=sharing
Design files : https://www.figma.com/file/68AfRvev6NkcPFFUamsAq3/SSO%2FSAML?node-id=265%3A1791

[areyabhishek]

@mikefrancis Thanks for creating this issue. We are planning to introduce integrations with SAML providers. Do you have a preferred provider?
The popular ones seem to be:

1. Auth0
2. Okta
3. Ping
4. Active Directory(MSFT)
5. Duo security

[mxkxf]

We use a custom provider so the ability to add custom ones via IdP Metadata XML would be great (I imagine this is what is used under-the-hood?).

[dani]

OpenID Connect (with a custom provider) would also be great to have. Using Lemonldap::NG so SAML or OIDC would work for me (though OIDC is simpler to setup)

[DaSchTour]

@mikefrancis Thanks for creating this issue. We are planning to introduce integrations with SAML providers. Do you have a preferred provider?
The popular ones seem to be:

1. Auth0
2. Okta
3. Ping
4. Active Directory(MSFT)
5. Duo security

@areyabhishek I would suggest Keycloak. As this is also something you could have as own infrastructure like Appsmith.

I'm not sure if that also belongs here, but with SSO, would it then also be possible to use the Login for accessing REST APIs. That would be really awesome.

[areyabhishek]

@DaSchTour I'll check out Keycloak.
About your second comment. Could you describe the experience you'd want? We were discussing a similar feature a few weeks ago and would love to know what exactly you'd like it to be.

Did you mean a business user will need to authenticate before they can run a REST API? Like I hit a button that calls an authenticated API, the button then pops up a modal to authenticate me. I get authenticated for the session and then I can continue to call the API without needing to sign in.

[DaSchTour]

@areyabhishek so my idea was that I can use Keycloak to login into the application and the token I get from Keycloak can be used for the Authorization header to call the REST APIs. We would use the Keycloak instance we have for our other applications and our APIs also for appsmith.

The idea to authenticate before runing a REST API also sounds good.

[codedmind]

Take a look at univention.com they provide SSO using samba/active directory, they also have and appcenter and would be great see appsmith in there :D

Some link, maybe help some developers than can help and see this https://docs.software-univention.de/app-provider-4.4.html

[kritid11]

It would be good to have Azure Active directory SSO.

[Hokwang]

I am using keycloak and it supports openID and SAML both.
and now, most of tools are supporting OIDC, I think.

[wlatic]

It'd be great to have either OpenID or OIDC enabled.

With the app already supporting these functions from Github and Gsuite this may not be too difficult:

Define OIDC_PROVIDER "https://<URL>/auth/realms/"
Define OIDC_REALM "<REALM NAME>"
Define OIDC_CRYPT <CRYPTPASS>
Define OIDC_CLIENT <CLIENT NAME>
Define OIDC_SECRET <CLIENT KEY>

<IfModule auth_openidc_module>
    OIDCProviderIssuer ${OIDC_PROVIDER}${OIDC_REALM}
    OIDCProviderAuthorizationEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/auth
    OIDCProviderJwksUri ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/certs
    OIDCProviderTokenEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/token
    OIDCProviderUserInfoEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/userinfo
    OIDCSSLValidateServer Off
    OIDCRedirectURI /redirect_uri/
    OIDCCryptoPassphrase ${OIDC_CRYPT}
    OIDCClientID ${OIDC_CLIENT}
    OIDCClientSecret ${OIDC_SECRET}
    OIDCRemoteUserClaim preferred_username
    OIDCInfoHook userinfo
</IfModule>

This is an example from Apache, which is much more complicated (on the config end, 100% not development!) than nodejs implementation, using OIDC from KeyCloak.

https://github.com/keycloak/keycloak-nodejs-connect

For the moment I've got Apache2 doing auth and going to see if I leave AppSmith URL open and authenticate via the proxy server using different URLS. Not ideal but for now it should work.

[Hokwang]

please re-arrange this issue's priority in your roadmap. Q4 is too late, I think.

[Nikhil-Nandagopal]

@Hokwang this is now being picked up in Q3. Thank you for contributing to this issue!

[mingfang]

Integration with Keycloak(and probably any oauth provider) is already possible using Spring security settings.
I built this example to demonstrate integration with Keycloak using environment variables.
https://github.com/mingfang/terraform-k8s-modules/blob/master/examples/appsmith/main.tf#L39

[genfx86]

hello guys, any expected date for the release of this feature? as it was marked as part of Q4 2021

[Nikhil-Nandagopal]

@genfx86 this feature is actually now live and available in our enterprise edition.
If you'd like to upgrade and start using our enterprise edition, you can find some time on our calendar below
https://calendly.com/d/yvb3-dyks/talk-to-appsmith-team?month=2022-02

[woutr-nl]

So this feature won't be deployed to the community-edition?

[Nikhil-Nandagopal]

@woutr-nl yes it will only be available in the enterprise edition.

[mxkxf]

As the OP, it's a real shame this won't be available in the community edition.

I'm a huge fan of AppSmith and would love to suggest future features, but the profiteering from community ideas makes me feel very uneasy.

SSO is a basic security requirement, this website explains more and highlight companies that follow a similar within:

https://sso.tax

I'd love to ask you to reconsider, and wish you a good day.

[Nikhil-Nandagopal]

@mikefrancis thank you for your contribution. To be honest, we had planned on monetizing SSO as part of our paid edition since the inception of Appsmith. We do agree that it is a very important security requirement and we're working with all our early users on a usage-based pricing model that is fair, scalable and not a tax on organizations that need it. Appsmith has always intended to monetize features that are valuable to organizations that are willing to pay for them while continuing to provide a stellar open-source platform for individual developers and smaller teams to build their internal apps on. We have Google SSO available in the community edition because we saw that smaller teams did tend to need it a lot. Our monetization is with the sole goal of sustaining the development and growth of this project that we love. We hope you can see it from that perspective too.

[mxkxf]

@Nikhil-Nandagopal if you scroll back to the early comments after I created this, it's not clear that this would be enterprise only. A lot of the other commenters provide lots of product insight which you've used to help build your product. For free.

I understand y'all need to pay the bills and absolutely agree you should monetise this amazing software, but IMO you should make it clear when things are on an enterprise roadmap or that community ideas that are realised might not be available in the community edition.

[wlatic]

It'd be far better having the easier Gmail, office etc. Connectors in the enterprise and having saml, which requires far more configuration on the user end as part of open source. All saml would need is the end points.

[dncpax]

I'm not new to open source projects, having been involved in an os association. To be fair, appsmith did say from early on this was planned as a payed feature. If you search discord I'm sure you'll find this.

We may disagree, we may argue otherwise, we may try to show arguments in favor of including some feature in the self hosted version, but it's for the team to make this project sustainable - which is crucial for all of us users too. It's not written in stone what will be monetized...

In this road to meet both ends, open and sustainable, we've seen many projects sacrifice too much on the open side of things. We hope it does not happen to the projects we invest in as users, especially early on.
But it certainly hasn't happened to appsmith. If anything, I've seen the team revert payed features to free (git-sync limits comes to mind, it was 4 repos, and it's now 4 per org).

Just my 2 cents.

PS - I'm also interested in this feature, and would love it to be included in the self hosted version, but am otherwise hoping for affordable pricing...

[Nikhil-Nandagopal]

@mikefrancis that's a really great point! We have been transparent about our plans like we did in this comment but I can see how it got buried under the flurry of information and we should strive to more proactively communicate this instead of having users ask us about our plans. Thank you for the feedback! We're going to work on being more upfront on what features we plan on monetizing.

[Nikhil-Nandagopal]

@wlatic our entire belief in appsmith has been that an individual developer or small team should be easily able to build their first application without any barriers and that is why we don't have any integrations that are useful for app building behind a paywall. We believe any developer out there might have a need for a Gmail connector and we should help them with that.

In regards to SAML, while the configuration is higher, we felt that it was not essential to the app-building process or even necessary for most small teams. It generally becomes a necessity once you're convinced that Appsmith can work really well for your use case and now you really need better security for wider adoption. We believe that is something organizations are willing to pay for because our community edition has convinced them that it does exactly what it promises.

[codedmind]

I already give my opinion some time ago, i'm with @mikefrancis in this. Since the begin isn't very clear the is will be only on enterprise or not, better, for me at least i only understand that will be a enterprise feature some time after we start talk about SSO.
The issue is from Feb and and the comment is from Oct... for us that are here almost two years the perception is different.

[Nikhil-Nandagopal]

@dncpax we already have this feature available and piloting it with users! Please block some time with us to talk about the pricing, we're working on making it super affordable and scalable :)

[Nikhil-Nandagopal]

@codedmind thanks for the feedback! We'll work on communicating more about our plans upfront

[hiteshjoshi]

Closing this. SAML phase 1 is completed and available for enterprise. Please get in touch if you would like to test it out.

[thomas10-10]

For information budibase sefhosted support custom sso

[Nikhil-Nandagopal]

@thomas10-10 we have custom SSO support in our self hosted business edition and Google SSO support in our self hosted community edition.

[thomas10-10]

I specify, custom sso in the free selfhosted community,

[Nikhil-Nandagopal]

@thomas10-10 I'm not sure what their thought process is but we've generally seen that smaller teams don't need custom SSO and larger teams are more than happy to pay for this feature. In fact, our pricing is very reasonable for all team sizes so if you're interested in the feature, we'd love to talk to you about it.

[SamirSaidani]

@thomas10-10 we have custom SSO support in our self hosted business edition and Google SSO support in our self hosted community edition.

It would be more consistent to have a community-supported SSO protocol in your self hosted community edition, like LDAP, instead of Google. Usually, opensource-oriented people tend to use opensource-based protocol.

[thomas10-10]

It's exactly for this reason that buildbase attracts me more, their selfhosted version is really opensource, you feel more like contributing for this kind of solution.

[thomas10-10]

I saw that you refused a merge because it was competing with your paid version
#8443
It might be interesting to derive appsmith and merge those pull requests

[mohanarpit]

@thomas10-10 @SamirSaidani Thanks for your inputs. I understand your POV. In this case, we need to ensure that the Appsmith project is sustainable. This means we need to charge for certain features. Making open source projects sustainable ensures that we can continue to build an incredible platform for everybody to build apps really quickly.

@thomas10-10 We believe in doing the right thing at all times. This is why we didn't accept a contributor PR since we wanted to charge for it. We don't believe in charging for any feature that the community contributes towards.

I hope this makes sense.

[DaSchTour]

@thomas10-10 I'm not sure what their thought process is but we've generally seen that smaller teams don't need custom SSO and larger teams are more than happy to pay for this feature. In fact, our pricing is very reasonable for all team sizes so if you're interested in the feature, we'd love to talk to you about it.

Well. Nice assumption. But in fact after I've seen that we would have to pay for SSO we choose a different solution and now I wouldn't even consider using appsmith anymore. It's a bit sad. I waited for that feature so long.

Maybe I also understand the reason behind using SSO different. But for me that has nothing to do with team size but with infrastructure. We use Keycloak for our application and we have a lot of microservices that use Keycloak OAuth. So I would like to be able to use these APIs with the Token I get from my Keycloak login.

[pharindoko]

@thomas10-10 I'm not sure what their thought process is but we've generally seen that smaller teams don't need custom SSO and larger teams are more than happy to pay for this feature. In fact, our pricing is very reasonable for all team sizes so if you're interested in the feature, we'd love to talk to you about it.

LOL - you never worked in an enterprise I assume ...

@DaSchTour: Which solution have you used instead ?

[serega404]

I was looking for a solution for my student creative project. I use Keycloak in order to relieve myself of the responsibility for authorization and spend time implementing more functions of my project. Unfortunately, I had to abandon appsmith, since I can't use keycloak, which most of my api works with.