Epic: Login with SSO

[geropl]

Summary

This epic enables users to configure and login with SSO from the UI in Dedicated.

In Scope

• Launching on Dedicated
• Admin onboarding updated accordingly, allowing them to set up their org
• Org owners must be able to reconfigure SSO in the Org Settings
• Ability for users login via SSO and be onboarded automatically to the org. In dedicated, no slug should be requested.
• Escape hatch for the super admin to get back into the cell, in case access is lost

Out of scope

• Launching on gitpod.io
• Switching an existing org from Git Authentication to SSO or vice-versa
• Correctly handling an IDP switch
• Allowing login or signup with Github/Gitlab/Bitbucket on Dedicated
• Automated user provisioning, removal or update (SCIM, membership APIs)
• Gitpod-native authentication
• Support for multiple IDPs

Context

• previously Epic: Enable Git Auth for Organizations for Dedicated #15955 would hold some of these task

Configure SSO

Preview Give feedback

1. Introduce slugs for organizations #16856
   +0
   
2. [OIDC] Add (backend) validation for entered client config #15960
   meta: stale +1
   
3. [SSO] Support edit and remove of OIDC clients #15961
   +0
   
4. SSO configuration UI enhancements #15995
   team: webapp +1

Login UI/UX:

Preview Give feedback

1. [SSO] Integrate with Login form #15967
   +0
   
2. [SSO] Enable OIDC logins on gitpod.io #15968
   meta: stale +1
3. dedicated: Skip “Org selector” for “single org” case

[charleswhchan]

Hello,

I would like to add OidcAuthProviders config to the installer (similar to config.go::AuthProviders) to automate the config, what's the correct behavior?
a. retrieve the config on deploy
b. write config to database on component/server start up

Note: I am happy to create a PR with guidance.

[AlexTugarev]

@charleswhchan, thanks for raising this question! I'll forwarded that internally, as the answer isn't just about a technical problem to be solved.

[AlexTugarev]

@charleswhchan, at the moment it's not planned to support configuration of SSO providers via the installer.

While focusing on Gitpod Dedicated we're creating an improved onboarding experience within the app. That, as well as the development of features around Organizations, will provide a holistic way of setting up Gitpod. The SSO integration, as well as the accounts created by using it, will belong to to the Organization. That provides better isolation and options of control.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.