Implement logging in with external OIDC

[teon]

A lot of users are asking for support with logging in wih external OIDC like Google Workspace/Microsoft Azure ID. For this we should:

• [x] Add a settings tab: External SSO where we should have a section for configuration of Azure ID (first), Google Workspace (second) + information that configuring external OIDC implies that if the user doesn't exist but will login with external OIDC, then will be created automatically
• [x] If an external OIDC is implemented we need to add "Login with X" on the login page
• [x] If a user logs in with external OIDC and it's not present in our database we create the user
• [x] If the user already exists (login name) then we just log them in
• [x] If the logged in user has configured 2FA we still do it..

[DmitryMigunov]

Will this feature be available on Enterprise only? We are managing users in the Google Workspace. We need synchronization with Google instead of creating users manually in Defguard.

[NickBouwhuis]

I'd also really like to see this implemented. I found DefGuard last week and it ticks a lot of boxes for us. But we already use Keycloak for our IdP/OIDC needs.

We currently use Firezone as a VPN provider. However, that project has gone a different direction and the UX is not that great. DefGuard would be a great replacement if we could connect it to our Keycloak.

[teon]

@NickBouwhuis it's already implemented and we will be testing, polishing and most probably doing a release in next two/three weeks.

[compgeniuses]

So could this be used also for other local hsoted OIDC if already present, Authentik/Zitadel etc?

[NickBouwhuis]

So could this be used also for other local hsoted OIDC if already present, Authentik/Zitadel etc?

That is the idea! Very excited to see a version with OIDC support.

[teon]

@compgeniuses Defguard is an OIDC provider (can replace Authentic / Zitadel), but a lot of users indicate they don't want to migrate - and they want defguard to allow using external OIDC, so that they use defguard just as VPN management software - so we hm have done that.

[cicklolwut]

I noticed in the gitbook a mention of requiring an Enterprise license for this. We're pretty deep into Microsoft and would love this feature, but we can't justify $1000 a month for it since we're a relatively small business. Is this something you're hard set on?

[teon]

Merge to dev please

[teon]

@t-aleksander

[teon]

@cicklolwut we are getting to the point where we have a clear vision about how we want to accomplish the license - which is really important since we need to find a sustainable model to finance the development as defguard is critical - it's not an addition tool, it's a core infrastructure component!

We will have several subscription options - but the cheapest will be around 10EUR/month with a simple email/issue base support - no vpn locations or users limit.

This would enable smaller companies to have all the enterprise features and support us in development.

We will also do a scholarship program where no-profits, open source companies and startups will be able to apply for a free enterprise license 🫡

[compgeniuses]

This is Great. As Announced here https://community.nethserver.org/t/defguard-2fa-mfa-wireguard-vpn-with-sso/24144

am looking into Implementing Defguard into Nethserver8. Hopefully i can get Ldap config with ENV or automatically to work SMH. would be open to all the help i can get.