Feature Request: Single Sign-On
Following on from https://forum.mayan-edms.com/viewtopic.php?f=7&t=1475, I thought there should be a note somewhere for SSO.
LDAP is good for a lot of use cases, but as time goes on I do think we'll get SSO requested more from enterprise users. Services like Okta are growing exponentially so we will come across users wanting it soon.
To be clear, I'm not referring to Mayan EDMS acting as an authentication provider (although if we wanted to there's code for that already, but being able to sign users in with an existing authentication provider. What users think of as SSO often isn't actual SSO. The difference between authentication (OpenID/OAuth) and automatic logon with one account (SAML), so potentially we can cover many use cases with federated login through OpenID and SAML at a future date.
In my experience, OpenID is preferred by smaller organisations (easier to setup I think using an existing Gsuite/Github etc acount) whereas SAML is when they don't want users to ever experience a login page and is a bit more complex to implement for operators.
There are projects already covering both of them.
For OpenID/OAuth: https://github.com/mozilla/mozilla-django-oidc https://pypi.org/project/django-auth-oidc/
For SAML: https://github.com/fangli/django-saml2-auth https://github.com/onelogin/python3-saml
There's multiple implementation "phases" I see here in order of priority and difficulty: 1 - A bit of testing then documentation on using one of the above libraries with users providing overrides at the urls.py level. Provides basic federated login 2 - Work on integrating the settings into the main Mayan settings modules so they can convigure it in config.yml/the web UI. Still no tight connection between the two systems 3 - Work on an Authentication app that supports one of the above and can assist in managing user/group mappings as well as configuring the settings for the user.