Authentication

Software Factory supports several authentication backends. The Cauth component is used to enforce all authenticated HTTP access.

Single Sign On

Software Factory provides a unified authentication for services such as Gerrit. Logging out from one service logs you out from other services as well.

Currently SF provides five kinds of backends to authenticate:

• Oauth2 for Github, Google and Bitbucket
• OpenID (e.g. for Launchpad)
• local user database hosted in the managesf node
• LDAP backend
• SAML2

Admin user

The admin user is hard coded and only the password can be defined. To change the admin user password, edits sfconfig.yaml:

authentication:
  admin_password: userpass

OAuth2-based authentication

Software Factory allows authentication with several OAuth2-based identity providers. The following providers are currently supported:

• GitHub
• Google (user data will be fetched from Google+)
• BitBucket

You have to register your SF deployment with the provider of your choice in order to enable authentication. Please refer to the provider’s documentation to do so. The OAuth2 protocol will always require a callback URL regardless of the provider. This URL is https://fqdn/auth/login/oauth2/callback

Heres is an example of setting up the GitHub authentication:

Log on https://github.com and open https://github.com/settings/developers and select “register a new application”

You have to complete the form, the following parameters are mandatory:

• Application name: $fqdn
• Homepage URL: https://$fqdn/auth/login
• Authorization callback URL: https://$fqdn/auth/login/oauth2/callback

During configuration, the identity provider will generate a client ID and a client secret that are needed to complete the configuration in /etc/software-factory/sfconfig.yaml.

authentication:
  oauth2:
    github:
      disabled: False
      client_id: "Client ID"
      client_secret: "Client Secret"

Apply the configuration by running sfconfig and open https://$fqdn/auth/login, select github, you will be redirected to a github page to authorize application, validate. Github could now be used to authenticate yours users.

The other OAuth2 providers can be set up in a similar fashion. Because of possible collisions between user names and other details, it is advised to use only one provider per deployment.

The GitHub provider also lets you filter users logging in depending on the organizations they belong to, with the field “github_allowed_organizations”. Leave blank if not necessary.

OpenID authentication

Similarly, an OpenID provider can be used for authentication. Only a single OpenID provider can be configured at a time, for example to use Launchpad:

authentication:
  openid:
    disabled: False
    server: https://login.launchpad.net/+openid
    login_button_text: "Log in with Launchpad"

OpenID Connect authentication

An OpenID Connect provider can be used for authentication. Likewise OAuth2, it requires an application created on the provider to provides a client_id and client_secret. The callback URL will be: https://fqdn/auth/login/openid_connect/callback .

Moreover it needs an issuer_url to retrieve the openid-configuration. Only a single OpenID Connect provider can be configured at a time.

authentication:
  openid_connect:
      disabled: False
      issuer_url: https://accounts.google.com/
      login_button_text: "Log in with Google"
      client_id:
      client_secret:

The issuer_url can be tested using the /.well-known/openid-configuration uri path, e.g.: https://accounts.google.com/.well-known/openid-configuration

Single Sign-On with SAML2

Software Factory can be configured as a Service Provider and rely on an external Identity Provider using the SAML2 protocol for users authentication.

The configuration of the single sign-on with SAML2 requires the operator to know which user properties and attributes will be sent by the Identity Provider to Software Factory, as they need to be mapped to the following user properties in Software Factory’s configuration file:

• login: the user name on Software Factory
• email: the email address
• name: the full name of the user
• uid: the unique identifier of the user on the Identity Provider

If the Identity Provider exposes the SSH public key(s) of its users in an attribute, it is possible to map the keys to ssh_keys, and specify a delimiter character to split the keys from this attribute value.

Here is an example configuration for a Keycloak Identity Provider, using the default built-in user properties for “email” and “name”, and custom-defined attributes for “login” and “uid” (See Keycloak’s documentation for more details on how to create custom mappings for SAML2):

authentication:
  SAML2:
    # set to true to activate
    disabled: true
    # Customize the login prompt here
    login_button_text: "Log in with Keycloak"
    # if the Identity Provider has a mapping for ssh keys, the delimiter
    # character will be used to split multiple keys
    key_delimiter: ','
    mapping:
      login: "username"
      email: "urn:oid:1.2.840.113549.1.9.1"
      name: "urn:oid:2.5.4.42"
      uid: "uid"
      ssh_keys: ""

Run sfconfig once to initialize the Service Provider metadata. You will then be prompted with this message at the end of the run:

Service Provider metadata is available at /etc/httpd/saml2/mellon_metadata.xml
Once you have the Identity Provider metadata, run:
  sfconfig --set-idp-metadata <path/to/metadata.xml>

The file /etc/httpd/saml2/mellon_metadata.xml must then be forwarded to the Identity Provider in order to register Software Factory as one of its Service Providers. The Identity Provider’s administrator should send you the identity provider’s metadata back in the form of a file or a URL. Re-run sfconfig with the path to the metadata to finalize the configuration and activate the Single Sign-On:

sfconfig --set-idp-metadata <path/to/idp_metadata.xml>

Local user management

For simple deployments without an Identity Provider, you can manage the users through the SFManager command-line utility (except for the default admin user, defined in the sfconfig.yaml file).

For example, to create a local user, run this command on the install-server:

sfmanager user create --username demo --password demo
    --email demo@sftests.com --fullname "A local demo user"

Other authentication settings

Cookie timeout

The SSO cookie timeout can also be changed:

authentication:
  # timeout of sessions in seconds
  sso_cookie_timeout: 43200

Identity provider data sync

By default, user data such as full name or email address are synchronized upon each successful login. Users can disable this behavior in the user settings page (available from top right menu). When disabled, users can manage the email address used in Software Factory service indepently from the identity provider data.