Skip to content

Define core SSO architecture for external identity providers #8080

Description

@DavidePrincipi

NS8 applications currently authenticate users only against internal user domains (Samba AD, OpenLDAP) or external LDAP servers. There is growing demand to let applications authenticate against cloud identity providers, enabling single sign-on (SSO) across the cluster.

🎯 Define the core NS8 architecture for federated authentication with external identity providers, such as Microsoft Entra ID and Google. This is a design issue: the expected outcome is an architectural document covering at least:

  • the authentication protocol choice (e.g. OpenID Connect) and how the core mediates between applications and identity providers
  • how external identities relate to the existing user domain model (provisioning, mapping, group membership)
  • which core components are involved (e.g. an identity broker service, HTTP routes, TLS certificates) and their configuration UI
  • how future application integrations (Nextcloud, WebTop, NethVoice) will consume the architecture

Non-goals

  • Implementing SSO support in individual applications: each integration will be tracked by its own issue, once this architecture is defined.
  • Replacing existing LDAP-based authentication, which remains fully supported.

Metadata

Metadata

Assignees

No one assigned

    Labels

    milestone goal 👑This describes an announced milestone goal

    Type

    Fields

    No fields configured for Design.

    Projects

    Status
    ToDo

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions