OpenID Connect / OAuth2 and/or SAML support

[alexanderadam]

Is your feature request related to a problem?

It would be nice to use external auth services like Authelia, Keycloak, Authentik or GitLab. OpenID Connect is probably the widely adapted one but some might prefer SAML.

Describe the solution you'd like

Something like OpenID Connect, OAuth2 or SAML would be great. Configuration usually requires some URLs and secrets.

For selfhosting having the ENV variables would be sufficient but if you want to move to provide your cloud service, you might want to have a GUI for that in the settings (maybe show it if the ENV variables weren't provided). An example for the settings view can be seen here.

There are also battle tested packages available for Go (i.e. go-oidc, oidc and others).

Describe alternatives you've considered

Not using external authentication I guess?

Thank you for SigNoz, it looks very promising and I hope that it'll get some traction.

[welcome[bot]]

Thanks for opening this issue. A team member should give feedback soon. In the meantime, feel free to check out the contributing guidelines.

[pranay01]

hey @alexanderadam Thanks for the issue. Curious, to learn what specific use case would this solve for you? Do you use Gitlab/Authelia auth currently in your org?

[alexanderadam]

I would even claim that everybody uses an identity solution (sometimes even without knowing). Apps like GitLab or Nextcloud have the server (and even client) functionality included and most famous applications that can be selfhosted allow to use OAuth2, OpenID Connect or SAML.

[ihard]

I join the author of the task, our company uses Keycloak and the authorization functionality for OpenID Connect would be in great demand.

[derrickmehaffy]

Also popping in here to advocate for us Keycloak users, even as hobbyists this would be an awesome win :)

[pranay01]

thanks for the inputs. We will have support for this in our enterprise plans

[alexanderadam]

We will have support for this in our enterprise plans

I'm just leaving this URL here: https://sso.tax/

So I guess someone can create a PR to add SigNoz here once SigNoz has SSO in implemented only for enterprise plans.

[pranay01]

The way we see it, to make any project sustainable in the longer term and keep building what the community values, we need to monetize a part of it. Here's our philosophy on monetization.

SSO/SAML seems like a set of features which is generally needed by bigger cos, so seemed a good candidate to put under enterprise license

[IcedQuinn]

absurd.

[numfin]

@pranay01 i have 5 people. I have self-hosted k8s. I want centralized authorization. I don't want to pay you for things that doesn't cost you anything

[ankitnayan]

I have self-hosted k8s. I want centralized authorization. I don't want to pay you for things that doesn't cost you anything

That's interesting... what do you think the strategy of monetization should be? It takes multi-year multi-engineers to build a good project. What would be a reasonable thing at SigNoz that you would be okay to pay for?

[derrickmehaffy]

As someone coming from the open source software world (Strapi). I would focus on monetizing features that are useful to large teams. Security IMO is not one of those.

At the very least allow authentication with SSO but not some of the more complicated logic with authorization such as group syncing. This is something we are considering as well to allow for SSO authentication via social providers but requiring a license for the advanced options.

Depending on the library you are using (we use passport.js) the implementation of SSO shouldn't be very difficult.

Likewise where we have seen business sustaining revenue is from a cloud option and enterprise support, not features of the software. We also recently completely unlocked our RBAC permissions system to the community edition as well.

[starhound]

I have self-hosted k8s. I want centralized authorization. I don't want to pay you for things that doesn't cost you anything

That's interesting... what do you think the strategy of monetization should be? It takes multi-year multi-engineers to build a good project. What would be a reasonable thing at SigNoz that you would be okay to pay for?

Cloudflare has an OIDC script on their CDN. Most devs can pump out SSO through oauth 2.0 or OIDC in a few hours.

A reasonable thing to pay for is your cloud service.

[itay-grudev]

@ankitnayan Do you remember when SSL was thought of as premium service you had to pay extra for?

This is the state of SSO in 2023. It helps guarantee a more secure internet for everyone, by securing key infrastructure itself. This is why other services like Grafana have it in their OSS package. These guys here are making a good point, not just whining because they can't pay.

Please reopen this. I am pretty sure it won't affect the customers you have and want, but it will affect smaller businesses and startups for whom your cloud offering doesn't make sense.

As a final thought it is these small businesses that are at a disproportionately higher security risk as they cannot afford the proper security staff and tools - and we all lose from that.

[aleksasiriski]

I'm too advocating to make this a part of the FOSS version. I'm alone using self managed k8s on Hetzner cloud and Authelia with LLDAP for authenticating into all of my other FOSS apps. I've spent a few days investigating Signoz and also made an appeal to switch to it instead of using Jaeger or AWS X-Ray and Elastic Search, but now that I've found that SSO is an Enterprise feature (even though the company I work at is really small and their whole microserviced stack uses around $100 on AWS) this makes me question if it is really worth the trouble it introduces by not having centralized authorization. Both of those are legit usecases that don't have the resources to provide for Signoz cloud or the Enterprise edition and the lack of SSO makes me go to other FOSS projects which are suboptimal. It's really sad to see that uptrace is in the same boat for SSO...

[fabiob]

I know this is a closed issue, but I was wondering if there's any movement towards offering the increased security of OpenID to a broader audience. I'm willing to pay for the feature, but the pricing leap for the Enterprise offer is too high and it includes features and a service level we don't need. Would you guys consider a cheaper plan or a pay-per-feature model for small companies that self-host and don't need the premium support?

[RockyMM]

Another topic, I was glancing through the documentation, and I don't see OpenID Connect support. Did I miss it?

[nitin302]

Please consider - https://github.com/SigNoz/signoz/issues/1188#issuecomment-1638017299

[pbasov]

@pranay01 Is there a way to disable the current authentication system and stick Signoz dashboard behind an oauth2 proxy?

Putting SSO feature behind enterprise paywall is shameful enough, but at least let me implement my own flow then.