Replies: 3 comments 4 replies
-
|
Hi @qay21, this seems sensible but maybe instead of introducing another environment variable, we can simply redirect to the configured OIDC IDP automatically if it is the only login option available. So if:
We automatically redirect to the OIDC IDP. What do you think? |
Beta Was this translation helpful? Give feedback.
-
|
I think assuming that if there is a single auth provider configured, the app can automatically default on it is a good idea, yes. I think Wekan chose to add a dedicated env variable because there is (as far as I know) no way to disable the default email login. Rallly being able to, we can most probably do without a dedicated var. |
Beta Was this translation helpful? Give feedback.
-
|
Would you be able to test it by pulling |
Beta Was this translation helpful? Give feedback.
-
|
sure, let me do that quick |
Beta Was this translation helpful? Give feedback.
-
|
Just tested, that seems perfect ! Went straight to our Keycloak login frontend, even displaying a short spinner during redirection to avoid a blank screen. Looks good to me ! |
Beta Was this translation helpful? Give feedback.
-
|
Great, thanks for testing. It will be shipped in the next release. |
Beta Was this translation helpful? Give feedback.
-
|
Looks like the feature has been shipped with 4.5.7 even if not mentionned in the changelog. I think this topic can be closed ! Thanks :) |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi there,
SSO integration with OpenID Connect and disabled email login (following #1833 and subsequent PR #1916 ) are working great. In my opinion, the last missing piece is to have a setting allowing to completely hide the login page when email login is disabled and there is a configured identity provider.
If an explicit setting is required, something like a
OIDC_AUTOLOGIN_ENABLED = false(by default,trueto enable the feature) would do. However, as long as there is no other auth mode than email login and/or a single OIDC IDP, it can be safe to assume that if the IDP is configured and the email login is disabled, then there is no point going anywhere else than to the IDP login screen.For the end-user, the workflow would seem even smoother than it already is : going to Rallly webapp would transparently try to login with OIDC, and if the user is already authenticated on the provider, then they have nothing to do authentication-wise, smoothly going from "never visited the app" to "authenticated and ready to create a poll" without encountering a single screen or button to click.
Such a feature is more and more common with SSO implementations, and is greatly contributing to the ease of use of existing web tools in managed environments (entreprise, managed communities, schools, etc). See what another great open source tool, Wekan, have done with it. What do you think ?
Thanks for the good work
Beta Was this translation helpful? Give feedback.
All reactions