[Epic] SAML/SSO

[mxkxf]

Summary

Allow users to be provisioned using customer SAML providers via a SSO service.

Motivation

It's great that AppSmith offers Google OAuth login however if you do not use Google to authenticate with then this adds another layer of user administration which is difficult to keep in sync at enterprise scale; as an IT admin I want to sign-in with services I already use.

It would be great if in AppSmith's configuration you could integrate with custom SAML IDP providers.

Test plan : https://docs.google.com/spreadsheets/d/1kZjf3oZKPP0ILf0c_Rw-5KvPUykCkzExBYSVYNBxZ2g/edit?usp=sharing Design files : https://www.figma.com/file/68AfRvev6NkcPFFUamsAq3/SSO%2FSAML?node-id=265%3A1791

[areyabhishek]

@mikefrancis Thanks for creating this issue. We are planning to introduce integrations with SAML providers. Do you have a preferred provider? The popular ones seem to be:

1. Auth0
2. Okta
3. Ping
4. Active Directory(MSFT)
5. Duo security

[mxkxf]

We use a custom provider so the ability to add custom ones via IdP Metadata XML would be great (I imagine this is what is used under-the-hood?).

[dani]

OpenID Connect (with a custom provider) would also be great to have. Using Lemonldap::NG so SAML or OIDC would work for me (though OIDC is simpler to setup)

[DaSchTour]

@mikefrancis Thanks for creating this issue. We are planning to introduce integrations with SAML providers. Do you have a preferred provider? The popular ones seem to be:

1. Auth0
2. Okta
3. Ping
4. Active Directory(MSFT)
5. Duo security

@areyabhishek I would suggest Keycloak. As this is also something you could have as own infrastructure like Appsmith.

I'm not sure if that also belongs here, but with SSO, would it then also be possible to use the Login for accessing REST APIs. That would be really awesome.

[areyabhishek]

@DaSchTour I'll check out Keycloak. About your second comment. Could you describe the experience you'd want? We were discussing a similar feature a few weeks ago and would love to know what exactly you'd like it to be.

Did you mean a business user will need to authenticate before they can run a REST API? Like I hit a button that calls an authenticated API, the button then pops up a modal to authenticate me. I get authenticated for the session and then I can continue to call the API without needing to sign in.

[DaSchTour]

@areyabhishek so my idea was that I can use Keycloak to login into the application and the token I get from Keycloak can be used for the Authorization header to call the REST APIs. We would use the Keycloak instance we have for our other applications and our APIs also for appsmith.

The idea to authenticate before runing a REST API also sounds good.

[codedmind]

Take a look at univention.com they provide SSO using samba/active directory, they also have and appcenter and would be great see appsmith in there :D

Some link, maybe help some developers than can help and see this https://docs.software-univention.de/app-provider-4.4.html

[kritid11]

It would be good to have Azure Active directory SSO.

[Hokwang]

I am using keycloak and it supports openID and SAML both. and now, most of tools are supporting OIDC, I think.

[wlatic]

It'd be great to have either OpenID or OIDC enabled.

With the app already supporting these functions from Github and Gsuite this may not be too difficult:

Define OIDC_PROVIDER "https://<URL>/auth/realms/"
Define OIDC_REALM "<REALM NAME>"
Define OIDC_CRYPT <CRYPTPASS>
Define OIDC_CLIENT <CLIENT NAME>
Define OIDC_SECRET <CLIENT KEY>

<IfModule auth_openidc_module>
    OIDCProviderIssuer ${OIDC_PROVIDER}${OIDC_REALM}
    OIDCProviderAuthorizationEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/auth
    OIDCProviderJwksUri ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/certs
    OIDCProviderTokenEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/token
    OIDCProviderUserInfoEndpoint ${OIDC_PROVIDER}${OIDC_REALM}/protocol/openid-connect/userinfo
    OIDCSSLValidateServer Off
    OIDCRedirectURI /redirect_uri/
    OIDCCryptoPassphrase ${OIDC_CRYPT}
    OIDCClientID ${OIDC_CLIENT}
    OIDCClientSecret ${OIDC_SECRET}
    OIDCRemoteUserClaim preferred_username
    OIDCInfoHook userinfo
</IfModule>

This is an example from Apache, which is much more complicated (on the config end, 100% not development!) than nodejs implementation, using OIDC from KeyCloak.

https://github.com/keycloak/keycloak-nodejs-connect

For the moment I've got Apache2 doing auth and going to see if I leave AppSmith URL open and authenticate via the proxy server using different URLS. Not ideal but for now it should work.

[Hokwang]

please re-arrange this issue's priority in your roadmap. Q4 is too late, I think.

[Nikhil-Nandagopal]

@Hokwang this is now being picked up in Q3. Thank you for contributing to this issue!

[mingfang]

Integration with Keycloak(and probably any oauth provider) is already possible using Spring security settings. I built this example to demonstrate integration with Keycloak using environment variables. https://github.com/mingfang/terraform-k8s-modules/blob/master/examples/appsmith/main.tf#L39

[floriandeutsch89]

Active Directory(MSFT)

Are you referring to NTLM/Kerberos or ADFS? Many customers are still using a "simple" ActiveDirectory without Federation Services

[mohanarpit]

@lf-floriandeutsch At this juncture, we haven't made a decision whether we'll support both AD & ADFS.

Based on your response, we'll keep in mind that users may be using the "simple" ActiveDirectory without the federation services.

[MaxAnderson95]

@mikefrancis is the plan to support SAML for free in the self hosted version of the product?

[Nikhil-Nandagopal]

Hi @MaxAnderson95 👋 we plan to support SAML only in our paid edition.

[MaxAnderson95]

@Nikhil-Nandagopal I appreciate your reply but I must say I'm a bit disappointed. SSO is a core security feature, not a luxury. More info about that here: sso.tax.

I see now that your site lists this as being an Enterprise Edition feature. I hope that the pricing for this scales with org size, as some of your competitors (Retool) charge crazy high premiums for the enterprise features even if just for 15-20 users. Do you have any idea of what pricing will be like for smaller enterprises who want to host on prem?

[Nikhil-Nandagopal]

@MaxAnderson95 we wholeheartedly understand your concerns and to clarify it will be in our paid plan but not something only accessible to enterprises or part of an ultra high priced tier. We are looking towards a more usage based pricing and working with a few early adopters to figure out the right pricing model so that medium sized organizations are also able to reap the benefits. If you'd like to explore this further with us, you can drop us an email at sales@appsmith.com. We really value the inputs of the community and would love to work closer with everyone on building a great product.

[MaxAnderson95]

Thanks @Nikhil-Nandagopal for your candid response!

[Nikhil-Nandagopal]

We've started planning for this feature. We'll be focusing on a self-hosted only solution first with cloud in mind from an engineering standpoint @Debsourabh will be researching the below tools for UI/UX while @mohanarpit @trishaanand will be researching for features

• Slack
• Sentry
• Gitlab
• Retool We are aiming to integrate a SAML & OIDC spec at the end of this project with Okta, Active Directory, and PingID. @mohanarpit will setup a paid Okta account for us to use internally Look forward to a product note next week!

[codedmind]

Maybe i don't understand it correctly... but is hard to learn that some security option will only be avaible in paid version. Also when could at least give the option to integrate with the more common options... like i said in previous post's nowadays could be use samba 4 for active directory basic integrations...

[Nikhil-Nandagopal]

@codedmind generally we've seen that larger companies need this integration and are happy to adopt our enterprise edition for it. We are currently unsure of the impact of introducing something like samba4 in our community edition because we haven't received too many requests for it. The main integrations we've received requests for have been Okta and Active Directory but if this changes in the future and more community members request for it, we will consider how we can add it without impacting our enterprise offering. Thank you for your ideas and opinions as always!

[codedmind]

@Nikhil-Nandagopal like i mention previous samba4 = active directory using solutions like univention linux distribution its possible have active directory emulated and have SAML integration https://www.univention.com/blog-en/2021/08/how-does-single-sign-on-work-with-saml-and-openidconnect/

[mohanarpit]

• First cut of wireframes from UX flow - @Debsourabh
• Initiate POC for code splitting on the frontend - @rashmi-rai @rishabhsaxena

More details can be found at: https://www.notion.so/appsmith/SSO-835bf30d62974817ac88ef6810ba50f1

[trishaanand]

Goal : Planning for the feature to be complete by December 1st

• Code splitting POC
  • Frontend - @rishabhsaxena @rashmi-rai
  • Backend - @trishaanand @AnaghHegde
• Test out the complete integration flow with a couple of providers and share a video with the team - @trishaanand

[trishaanand]

• Continue with PoC for code splitting. Only backend right now - @trishaanand
• Finalize wireframes for Authentication. - @Debsourabh
• Implementation research for SAML/OIDC/LDAP with webflux - @trishaanand

[Debsourabh]

WIP SSO/SAML Design File : https://www.figma.com/file/68AfRvev6NkcPFFUamsAq3/?node-id=8%3A69

[trishaanand]

• Wireframe to be shared with the team next week - @Debsourabh
• Publish Test plan for the feature - @RakshaKShetty
• Publish all the input field requirements for the feature - @trishaanand

[trishaanand]

Last week's update :

• Explore keycloak to be used as a broker - @trishaanand
• BE Code split - @trishaanand
• FE Code split strategy development - @pranavkanade
• Incorporate design review comments - @Debsourabh

[RakshaKShetty]

WIP SSO Testplan: https://docs.google.com/spreadsheets/d/1kZjf3oZKPP0ILf0c_Rw-5KvPUykCkzExBYSVYNBxZ2g/edit?usp=sharing

[pranavkanade]

FE Code splitting guidelines - https://www.notion.so/appsmith/FE-code-splitting-guidelines-V2-7333eaa05e1540b898feb540b5f0f330

[trishaanand]

Weekly targets :

• POC of SSO with keycloak and configuration on appsmith via docker environment - @trishaanand
• FE code split finalization and POC of code split - @pranavkanade
• FE task breakdown for SSO - @pranavkanade @ankitakinger
• RBAC requirements documentation - @vuiets

[trishaanand]

Weekly targets :

• Test SSO with common identity providers (Okta, PingId) - @trishaanand
• Set up demo instance with SSO enabled for testing - @trishaanand
• Polish UI for configuring SSO - @pranavkanade @ankitakinger
• Design QA - @Debsourabh
• Get started with tests - @RakshaKShetty

[trishaanand]

Weekly targets :

• Design QA - @Debsourabh
• Continue with test cases - @RakshaKShetty
• Admin APIs for the server for configuration of IdP (Over the next two weeks) - @trishaanand
• Continue with cypress tests - @pranavkanade @ankitakinger
• CE upgrade to paid plan flow to be designed and finalized (Over the next two weeks) - @Debsourabh
• New designs for login screen containing only Sign in with SSO - @Debsourabh
• Test SSO with Rippling - @trishaanand @vuiets
• Fat container setup containing keycloak - @trishaanand
• Explore solutions for licensing the EE image - @trishaanand @mohanarpit

[pranavkanade]

TODO

1. Get new designs for admin settings page, login page from - @Debsourabh
2. UI changes for admin settings page- @ankitakinger
3. Go through test plan - team
4. OIDC, JWT - @trishaanand
5. Fat container setup - @trishaanand
6. Documentation for enterprise

Deprioritised Items

1. Admin APIs
2. Upgrade to paid plan

[hiteshjoshi]

• New OIDC integration directly with Spring JAVA. - In PR
• Admin APIs to configure OIDC on Appsmith - Not Started
• Expose the JWT tokens as server side replacement - In Progress

[hiteshjoshi]

• Merge OICD integration (build on top of Spring ) - In PR @trishaanand
• Refactoring of JWT tokens to make it production ready. - In progress @trishaanand
• Admin APIs to configure OIDC on Appsmith ( overflows to next week ) @trishaanand
• Admin settings page and login page changes to be merged - @pranavkanade
• Fat container QA - @RakshaKShetty
• Update test plans and add JWT token scenarios as well. - @RakshaKShetty
• Start doing documentation for integrations - @Pranay105 @trishaanand @ankitakinger
• UI improvements on admin settings page for SSO configuration. - @Debsourabh

[trishaanand]

• Admin settings page changes with new designs - @ankitakinger
• Fix fat container deployment - @trishaanand
• Fat container QA - @RakshaKShetty
• Continue adding more JWT token scenarios to the test plan and review - @RakshaKShetty @trishaanand @ankitakinger
• Start doing documentation for integrations with OIDC - @Pranay105 @trishaanand @ankitakinger @vuiets
• Documentation for JWT tokens - @vuiets @trishaanand @Pranay105
• Licensing Flow - @trishaanand

[trishaanand]

• Minor changes for OIDC settings page to be true to designs - @ankitakinger
• Continue adding more JWT token scenarios to the test plan and review - @RakshaKShetty @trishaanand @ankitakinger
• Continue with documentation of integrations with OIDC - @jnikhila @ankitakinger @trishaanand
• Documentation for JWT tokens - @vuiets @trishaanand @Pranay105
• Licensing Flow - @trishaanand
• Add a client side check for at least one authentication method being available before allowing disconnect - @ankitakinger
• Refresh token test for OIDC - @trishaanand

[hiteshjoshi]

Notes from Product, UI, QA catchup.

• [x] Form login reset button. Should be bundle with form login auth type for visibility. @ankitakinger
• [x] Buggy Server restart ( Fat container issue probably @trishaanand to check @yatinappsmith to provide logs )
• [ ] Improve UX for failed server restart modal. ( Ideas : add docs ) @Debsourabh

[trishaanand]

Minor change post design review on OIDC configuration screen - @ankitakinger Bug fixes with fat container - @trishaanand Bug fix for disconnect of OIDC leading to bad state - @trishaanand Get started with SAML admin APIs - @trishaanand Update restart banner - @ankitakinger

[hiteshjoshi]

User request around JWT tokens. “JWT token authentication on AppSmith editor GUI #7353”

[genfx86]

hello guys, any expected date for the release of this feature? as it was marked as part of Q4 2021

[Nikhil-Nandagopal]

@genfx86 this feature is actually now live and available in our enterprise edition. If you'd like to upgrade and start using our enterprise edition, you can find some time on our calendar below https://calendly.com/d/yvb3-dyks/talk-to-appsmith-team?month=2022-02

[woutr-nl]

So this feature won't be deployed to the community-edition?

[Nikhil-Nandagopal]

@woutr-nl yes it will only be available in the enterprise edition.

[mxkxf]

As the OP, it's a real shame this won't be available in the community edition.

I'm a huge fan of AppSmith and would love to suggest future features, but the profiteering from community ideas makes me feel very uneasy.

SSO is a basic security requirement, this website explains more and highlight companies that follow a similar within:

https://sso.tax

I'd love to ask you to reconsider, and wish you a good day.

[Nikhil-Nandagopal]

@mikefrancis thank you for your contribution. To be honest, we had planned on monetizing SSO as part of our paid edition since the inception of Appsmith. We do agree that it is a very important security requirement and we're working with all our early users on a usage-based pricing model that is fair, scalable and not a tax on organizations that need it. Appsmith has always intended to monetize features that are valuable to organizations that are willing to pay for them while continuing to provide a stellar open-source platform for individual developers and smaller teams to build their internal apps on. We have Google SSO available in the community edition because we saw that smaller teams did tend to need it a lot. Our monetization is with the sole goal of sustaining the development and growth of this project that we love. We hope you can see it from that perspective too.

[mxkxf]

@Nikhil-Nandagopal if you scroll back to the early comments after I created this, it's not clear that this would be enterprise only. A lot of the other commenters provide lots of product insight which you've used to help build your product. For free.

I understand y'all need to pay the bills and absolutely agree you should monetise this amazing software, but IMO you should make it clear when things are on an enterprise roadmap or that community ideas that are realised might not be available in the community edition.