LDAP support for users?

Proffalken · March 26, 2019, 4:45pm

Hi,

As we increase our commercial offering based on LoRaServer.io we’re looking at how we authenticate against the platform.

Is there any way to use SAML/LDAP to integrate some form of SSO with the web interface?

Thanks

brocaar · March 31, 2019, 3:33pm

This is (currently) not possible.

Proffalken · April 1, 2019, 5:44am

Thanks Brocaar, are there any plans to add this? or am I better off wrapping the API in my own front-end for the moment?

brocaar · April 1, 2019, 3:30pm

This is not something I have on my backlog right now. Potentially you could wrap the login endpoint to check against an external authentication server and if the credentials are valid, return a JWT token

brocaar · May 6, 2020, 8:57am

OpenID Connect support is coming:

Proffalken · May 6, 2020, 9:23am

This is a thing of beauty, thank you!

bconway · May 6, 2020, 2:04pm

@brocaar Could you clarify the middle paragraph in the commit? Our use of the ChirpStack UI is solely for administrative purposes, so we put a GitHub OAuth proxy in front of it, and use role-based logins (admin, read-only, etc). Does this mean we now need email addresses attached to ChirpStack accounts?

brocaar · May 7, 2020, 11:20am

A bit of clarification:

Previously there was an username and email field. The latter was never used apart from in the user form. In the above commit I have renamed username to email and email to email_old (in case you want to update the username in email with an actual email, solving potential unique conflicts manually). The reason to not migrate email to username is that there was no unique constraint on the index, so this could break.

This means you can still login with the username after updating, but when you want to update the user, you must set it to a valid email address.

The reason to move away from the username is that the email can be provided by the OpenID Connect integration. OpenID Connect can provide an user ID, but what I have seen with Auth0 is that this is more of a random string (it is stored in the ChirpStack AS database), not something to present in an user-interface.

This also means that when an user exist in the ChirpStack AS database with an email, that when turning on OpenID Connect, the user will be automatically linked by email on login.

ChirpStack Application Server will try to login the user in two steps:

Find user by “external ID” (which is the ID provided by the OpenID Connect provider)
- This also updates the email of the user if needed (e.g. when the user changed its email at the OpenID Connect provider)
Find user by “email”
- This sets the “external ID”

Mahmoud_Mansour · June 16, 2021, 5:41pm

If you are interested in integrating SAML or LDAP with chirpstack OpenId, You can use Keyclock as an OpenId client and add either a SAML identity provider or LDAP User Federation provider to keyclock.

Keyclock will works then as an identity broker between your chirpstack service and your idp (SAML or Ldap).