Description
UI login screen should show a button [Sign In Using SAML] if saml is turned on for that cluster.
When user presses that button UI should redirect the user to the saml sign-in endpoint. That endpoint will redirect user to the SAML IDP(identity provider, e.g. OKTA) where user will authenticate. After successful authentication the identity provider redirects user back to UI.
Single logout: Single logout is optional. If it is turned off, UI should use regular logout for SAML users. If it is turned on, instead of regular logout UI should perform "SAML single logout". Which basically means redirecting user the saml logout endpoint.
We should not forget about:
- Enable external users when saml is enabled
- When we are creating an external user and LDAP is enabled we are also trying to find that external user in LDAP: this can be very confusing in case if it is actually a saml user being creating (UI will show "not found").
API to sign-in: GET /saml/auth
API to log-out: GET /saml/deauth
API to check if SAML is enabled (when user is not authenticated yet): GET /_ui/authMethods
API to check if SAML logout is enabled: GET /settings/saml
Attachments
Issue Links
- blocks
-
MB-24487 SAML SSO authentication for Couchbase Admin UI
- Closed