Allow for SSO login (Google, GitHub etc)

[Crispy1975]

Is your feature request related to a problem? Please describe.

We have just installed SaltGUI behind a cloudflared tunnel. This allows us to authenticate users accessing SaltGUI. This works as expected and our users cannot see the UI without being fully authenticated. However, this of course presents users with a SaltGUI login page, it is at this points we need to allow user access without a double login flow.

Looking at the tunnel connector logs we see the header Cf-Access-Authenticated-User-Email containing the correct authenticated user email address. My question is if there is a way we can use this with SaltGUI/Salt to authenticate that user. I've checked the Salt docs on how it's possible to restrict pam users to certain permissions, however we would love to do this using a full SSO login flow to maintain security and end user joy. :-)

Describe the solution you'd like Be able to detect an SSO authenticated user and apply permissions to their login session.

I am happy to investigate this as a contribution, however, I wanted to ask first to see if there was something that might just work without a lot of development. I suspect that I might need to do something on the salt-api side of things. 🤔

[erwindon]

@Crispy1975 salt-api supports all of the mechanism shown on https://docs.saltproject.io/en/latest/ref/auth/all/index.html SaltGUI has the most common of these in the dropdown-list on the login page. but others can be made visible by using a simple configuration as described in the SaltGUI manual.

one supported mechanism (which is also the default) is the "pam" mechanism. this allow further configuration with anything that the Linux PAM mechanism has to offer. for standard Linux systems, this is configured to use the local /etc/passwd file, but it can be configured for almost anything else. see your PAM documentation for more details.

please take the following steps:

• decide whether the salt-api mechanism can help you
• decide whether a PAM mechanism can help you, possibly using an additional PAM plugin

Since SaltGUI uses only the built-in security mechanisms from salt-api, I never have to worry about delivering an unsafe edition of SaltGUI. Changing that will be technically complex and may make SaltGUI unsafe to use. That is why I decided to never extend SaltGUI in that way. Luckily the existing mechanisms are very extensive.

[Crispy1975]

Thanks @erwindon I'll investigate the options with salt-api and post back on findings. 👍🏻

[erwindon]

I'll close this issue for now. Feel free to post more information in this issue. I'll reopen it when there is a need.