Feature Request (Enterprise Edition): Federated authentication: SAML/OAuth/LDAP/RADIUS

[adontz]

Support some kind of federated authentication, well-known external user authentication.

It can be

• https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
• https://en.wikipedia.org/wiki/RADIUS
• https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
• https://en.wikipedia.org/wiki/OAuth

Use cases I am thinking about are

• On-premises Microsoft Active Directory
• https://azure.microsoft.com/en-us/services/active-directory/
• https://www.okta.com/
• https://auth0.com/
• https://aws.amazon.com/cognito/
• https://duendesoftware.com/products/identityserver
• https://jumpcloud.com/

[it33]

Hi @adontz thanks for the enhancement idea!

This is probably more feature for a future Focalboard Enterprise Edition (a future commercial version for large organizations) than a feature for the open source Focalboard Personal Desktop (for personal projects) or open source Focalboard Personal Server (for individuals and small teams).

[jpleger]

I don't think that this should be an "enterprise" feature. SSO shouldn't be a tax for users or small teams, especially since there is good support for OAuth in Go. At the very least support google/facebook/oauth logins.

I can understand not wanting to support SAML, but it really upsets me when companies hide authentication behind "enterprise" features. So much so that if a company doesn't support it on their lowest tier, I will intentionally avoid that vendor unless there is a compelling reason to use them.

[fastfend]

I would suggest using passport.js but as I see Go is being used at backend. Also I strongly agree with @jpleger. Something like SSO in selfhosted solutions shouldn't be something exclusive for big corpos. As per topic I think that it would be best if OAuth2/OIDC should be first to be implemented. As far i know there is (like @jpleger said) good support for it

[adontz]

I, as an original author, agree with the comments above. SSO is not an enterprise feature. DLP is an enterprise feature, advanced analytical reports are an enterprise feature, SSO is just must have these days.

[guillaug]

SSO is a must have for small teams, I just don't use open-source project that don't have them these days. We rely on different products for building internal tools and having a single authentication system is not a question anymore.

I use a self-hosted Keycloak instance for SSO, I would definitely use FocalBoard if both would work together.

[jespino]

@GuillauG we disagree on that, we think small teams can work perfectly fine without the need of SSO. That is ok to disagree. The thing is, we want to build an open core model on this project, and that means some features are going to keep closed on the enterprise version, and most of them are been publicly available for everybody. Our vision is to provide huge amount of value to everybody, and at the same time keep this profitable to be able to keep investing on the project.

There is always a place where you have to draw the line in an Open Core model, and for us, the SSO/SAML/LDAP authentications falls in that bucket.

We going to support SAML, OAuth2 (as SSO Authentication) and LDAP in the future almost for sure, but all them are going to fall in the enterprise version.

I want to be clear and honest here, and I understand for some people that is going to be a stopper, but we really believe that is the price to pay to provide a huge amount of value for other use cases for free.

[fastfend]

Welcome to sso.tax ! So it is going to be like with Mattermost. SSO for 8.5$ per user. Cool cool nice tax

[jpleger]

@GuillauG we disagree on that, we think small teams can work perfectly fine without the need of SSO. That is ok to disagree. The thing is, we want to build an open core model on this project, and that means some features are going to keep closed on the enterprise version, and most of them are been publicly available for everybody. Our vision is to provide huge amount of value to everybody, and at the same time keep this profitable to be able to keep investing on the project.

You have a bunch of early adopters and power users who are telling you that is not the case. Who is "we"? It certainly isn't the users/community who are giving you feedback contrary to your opinions. Having some sort of SSO is table stakes in 2021. When you gate features like this, you are harming users and decreasing the overall security posture.

Account takeovers are one of the biggest problems in security today and you are taking away one of the most important tools for users to take steps to secure their accounts. In essence you are saying that security isn't a feature that is included and you have to pay extra for. I say this as a security professional who has been doing this for 15+ years.

I'm all for open core stuff, but when you gate critical security features under an enterprise/paid version, it sends a very clear message that you don't care about the open source aspect of this project or the community which would like to support it and your primary motivation for doing it is around monetizing it.

That is totally fine and I understand it, but it is the wrong decision if you care about the security of your users and pretending otherwise is disingenuous. When I see projects that have this mindset, I mentally put them under the "free trial" bucket, not under the spirit of open source.

[guillaug]

Identity need to be portable if you want a more decentralized web, based on open-source software. Non-tech people are lost if they have one account for each service their organization / non-profit provides.

A lot of small teams can not afford to spend hundreds of dollars per user per month for each of their members. Non-profit just can't, at least the ones I am working with. However, they still need the tools to do their work in order to have an impact. I see more and more organizations ready to spend more to be able to get out of the GAFAMs, but they can't spend that kind of money.

If you make SSO/OAuth2/LDAP a closed feature, you'll loose the opportunity for FocalBoard to be one of the tools in federated, self-hosted platform. Gitlab, NextCloud, Kimai, Matrix, RocketChat, CodiMD, Wekan, ERPNext are SSO/OAuth2/LDAP compatible in some way and I am using them because of it. Some have an open-core models. They drew the line elsewhere.

I think, It is just a question of time before SAML/OAuth2/LDAP features are included in open core models by default. Just wait until you're the last doing it...

Cheers

[minecraftchest1]

If SSO does not get added to the free version, I Will not use this software.

[helmut72]

At least LDAP should be there. We don't have 2001, but 2021. This isn't a feature for a power user only.

[minecraftchest1]

I'll be honest. Oauth2/OpenID connect would probably better, because users can use keycloak LDAP federation if they need it. It also allows more flexibility by letting administrators different options for SSO.

Sent from my T-Mobile 4G LTE Device

-------- Original message -------- From: helmut72 @.> Date: 5/11/21 1:32 AM (GMT-06:00) To: mattermost/focalboard @.> Cc: minecraftchest1 @.>, Comment @.> Subject: Re: [mattermost/focalboard] Feature Request (Enterprise Edition): Federated authentication: SAML/OAuth/LDAP/RADIUS (#103)

At least LDAP should be there. We don't have 2001, but 2021. This isn't a feature for a power user only.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/mattermost/focalboard/issues/103#issuecomment-837919921, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKIAII5MPGQOAMWBD4QR7JLTNDFQTANCNFSM4ZMRFACQ.

[adontz]

@GuillauG we disagree on that, we think small teams can work perfectly fine without the need of SSO. That is ok to disagree.

Sorry, but it not OK to disagree if you ignore unanimous customer feedback. But what would I know about running a business, I am just a mechanic.

[minecraftchest1]

@GuillauG we disagree on that, we think small teams can work perfectly fine without the need of SSO. That is ok to disagree.

Sorry, but it not OK to disagree if you ignore unanimous customer feedback. But what would I know about running a business, I am just a mechanic.

I agree with you @adontz. But what would I know, I only wirk in IT.

[minecraftchest1]

Any update on this? Refusal from the developers with a non-answer. And "We don't think small teams need it" Is NOT and answer. It is an excuse. Any free and open source product designed to be used in Organizations that does not support external user auth without a license is not an app, product, or service. It is a security hole. PERIOD.

[Ataraxxia]

Size of the team doesn't matter. I work in multiple teams/companies consisting of no more than 10 people, and at it's not the case of team size/project scope, but how many internal services you already have to support. If i can authenticate with SSO to all my services but not to Focalboard, then i am simply forced to reject it for the start in favour or possibly worse solution that i don't really preffer but it has the basic things.

[TheRealAlexV]

I'm evaluating task board software for a non-profit volunteer run organization of about 40 or so people. I need a solution with central authentication with the rest of our apps. I have no issues implementing systems such as keycloak or authellia. When companies do things like this, it's a reason for me not to consider them when my organization does get funding for a better product. I'll most likely look at alternatives such as Jira or Trello in that case.

For others looking for a free alternative, Gitlab has Task boards and ldap integration.

[aroberts]

I found my way here from #152, and suddenly it's clear why there's no traction on that ticket. I'm glad to know that any kind of login federation won't be available in this product (by "this", I mean the open source / open core self-hostable product) - it's good to know I can direct my attention and effort elsewhere.

TaskCafe may be a project worth following, if you're as disappointed as I am in this response - similar kanban-style presentation, though it's a fairly immature project, at least there looks to be a better base feature set for the containerization era---this attitude that only big-budget organizations are running an identity backend capable of federation is surprisingly dated.

[jonathanspw]

+1 for LDAP/OpenID/something. Hate to see this "only enterprise needs centralized logins" mentality.

[minecraftchest1]

A potential customer lost.

Wyatt Jackson Matrix: @minecraftchest1:matrix.org Discord: Minecraftchest1#8670 Telegram: https://t.me/minecraftchest1 Mastodon: @@. Github: https://github.com/minecraftchest1 Gitlab: https://gitlab.com/minecraftchest1 Email: @.

Sent from my T-Mobile 4G LTE Device

[tomeli5n]

A potential customer lost.

Realized loss in my case. My company chose another OSS kanban system with LDAP

[alerque]

I don't think Mattermost is worried about realized losses in the form of FOSS users that slip through the cracks. They clearly don't want to open the door to loose any potential enterprise clients that can get by on the free feature set.

As a long-time contributor even back to the early days on Mattermost (and ongoing especially in the form of packaging for Linux distros) I find this quite disappointing and definitely consider it a reason to prioritize contributions to other projects.

[alexanderadam]

Maybe I'm mistaken here but Focalboard is also integrated in Mattermost since version v5.36 and Mattermost is able to use LDAP (or SSH via GitLab if you're running GitLab, too). Thus most enterprise users will use Mattermost anyway and therefore have LDAP support already, right?

Therefore this feature is only about folks who want to use Focalboard without Mattermost then?

Otherwise I'm sure the Mattermost folks would embrace someone contributing this feature to the free edition. There are also battle tested packages available to support OIDC in Go (i.e. go-oidc, oidc and others).

[proffalken]

A potential customer lost.

Realized loss in my case. My company chose another OSS kanban system with LDAP

@tomeli5n - what did you switch to out of interest? I've had Focalboard up and running for a while, but now need to move to LDAP or similar for centralised auth, and to see this attitude from the core team is really quite disappointing.

[tomeli5n]

@proffalken we switched to kanboard

A potential customer lost.

Realized loss in my case. My company chose another OSS kanban system with LDAP

@tomeli5n - what did you switch to out of interest? I've had Focalboard up and running for a while, but now need to move to LDAP or similar for centralised auth, and to see this attitude from the core team is really quite disappointing.

[proffalken]

@tomeli5n amazing, thank you!

[bsilla]

Really hoped they changed their minds with community feedback but that apparently never happened. Focalboard is out for us.

[matbgn]

We are also out!

NB : If your enterprise is searching for something else, maybe ERPNext and it's Kanban could be a solution. Anyway after waiting for any signal indicating that Mattermost will change his mind we are giving them a try in the next few weeks.

[matbgn]

I seriously enlighten you all to test this solution https://github.com/devaslanphp/project-management

Passionate dev and really solution oriented as you can see here: https://github.com/devaslanphp/project-management/issues/48

[satoshinotdead]

We are leaving self-hosted Mattermost and Focalboard because the lack of SSO.

And I like that organizations needs to really offer premium features to recieve money from the plebs 🧡

[moeffju]

So now that this has moved to "fully community-supported", have the SSO plans changed? Is there any SSO code you can commit to the "community" version now that monetization seems to be off the table?

[chitralverma]

Any updates on a auth integration in community version ?

[alexanderadam]

Any updates on a auth integration in community version ?

Folks, please read the announcement in the README:

Mattermost developers will not be adding any new enhancements or bug fixes beyond September 15th, 2023.

It is now only community driven. This means, nobody will do it unless you do it yourself. It's like an open source project without official maintainer.

Since then only three commits have been made and one of them is only a commit to remove all mentions of Mattermost.

Most companies that I know that were using Focalboard before, are now using Vikunja or OpenProject.