tdsds.com/gitea
1
1
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2025-07-22 02:08:36 +00:00
Code Releases Activity

Revert "Support SAML authentication (#25165)" (#29358)

Browse Source 
This reverts #25165 (5bb8d1924d), as there
was a chance some important reviews got missed.

so after reverting this patch it will be resubmitted for reviewing again

https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242

temporary Open #5512 again
This commit is contained in:
6543
2024-02-24 05:18:49 +01:00
committed by GitHub
parent 875f5ea6d8
commit 4ba642d07d
37 changed files with 69 additions and 1440 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
docs/content/usage/authentication.en-us.md
View File

@@ -349,72 +349,3 @@ If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WE
You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level.
Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.
## SAML
### Configuring Gitea as a SAML 2.0 Service Provider
- Navigate to `Site Administration > Identity & Access > Authentication Sources`.
- Click the `Add Authentication Source` button.
- Select `SAML` as the authentication type.
#### Features Not Yet Supported
Currently, auto-registration is not supported for SAML. During the external account linking process the user will be prompted to set a username and email address or link to an existing account.
SAML group mapping is not supported.
#### Settings
- `Authentication Name` **(required)**
- The name of this authentication source (appears in the Gitea ACS and metadata URLs)
- `SAML NameID Format` **(required)**
- This specifies how Identity Provider (IdP) users are mapped to Gitea users. This option will be provider specific.
- `Icon URL` (optional)
- URL of an icon to display on the Sign-In page for this authentication source.
- `[Insecure] Skip Assertion Signature Validation` (optional)
- This option is not recommended and disables integrity verification of IdP SAML assertions.
- `Identity Provider Metadata URL` (optional if XML set)
- The URL of the IdP metadata endpoint.
- This field must be set if `Identity Provider Metadata XML` is left blank.
- `Identity Provider Metadata XML` (optional if URL set)
- The XML returned by the IdP metadata endpoint.
- This field must be set if `Identity Provider Metadata URL` is left blank.
- `Service Provider Certificate` (optional)
- X.509-formatted certificate (with `Service Provider Private Key`) used for signing SAML requests.
- A certificate will be generated if this field is left blank.
- `Service Provider Private Key` (optional)
- DSA/RSA private key (with `Service Provider Certificate`) used for signing SAML requests.
- A private key will be generated if this field is left blank.
- `Email Assertion Key` (optional)
- The SAML assertion key used for the IdP user's email (depends on provider configuration).
- `Name Assertion Key` (optional)
- The SAML assertion key used for the IdP user's nickname (depends on provider configuration).
- `Username Assertion Key` (optional)
- The SAML assertion key used for the IdP user's username (depends on provider configuration).
### Configuring a SAML 2.0 Identity Provider to use Gitea
- The service provider assertion consumer service url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/acs`.
- The service provider metadata url will look like: `http(s)://[mydomain]/user/saml/[Authentication Name]/metadata`.