Context
While most contributors work on a few platforms than nowadays are mostly managed through the team repository, the infrastructure team has to work with a lot of services, and most of them require us to create individual accounts on the services and manage them (like adding or removing team members).
This results in a lot of credentials for team members to manage, and it makes it hard to remove access to team members when they leave the team (since we need to track down all the accounts they had).
We should implement some SSO solution for those services, ideally integrated with the team repository.
Possible options
We should not maintain our own SAML (authentication) or SCIM (account sync) implementation. This means we'll have to use one of the main commercial IdP implementations, like Google Workspace/Cloud Identity or Azure Active Directory. This would allow us to create username@rust-lang.org accounts (with or without email if we don't need it) and configure SSO using those credentials. It should be possible for sync-team to then create accounts or tweak permissions as needed.
If we don't want to have a separate set of credentials though, and have people authenticate with GitHub, the situation gets tricky. Neither Google nor AD support social login with GitHub for their enterprise directories, so we'd need some sort of "GitHub OAuth to SAML" bridge.
After looking for hours, the only solution Pietro found was Keycloak, an open source authentication platform developed by Red Hat. The platform would allow us to authenticate with GitHub OAuth and expose a SAML IdP out of it. That'd result in a "GitHub -> Keycloak -> Google/AD -> actual application" authentication redirect dance, and critically it's yet another service for us to host and keep secure. We can't use Keycloak directly since it lacks SCIM support, which means we'd need to implement user synchronization for every service we use.
Context
While most contributors work on a few platforms than nowadays are mostly managed through the team repository, the infrastructure team has to work with a lot of services, and most of them require us to create individual accounts on the services and manage them (like adding or removing team members).
This results in a lot of credentials for team members to manage, and it makes it hard to remove access to team members when they leave the team (since we need to track down all the accounts they had).
We should implement some SSO solution for those services, ideally integrated with the team repository.
Possible options
We should not maintain our own SAML (authentication) or SCIM (account sync) implementation. This means we'll have to use one of the main commercial IdP implementations, like Google Workspace/Cloud Identity or Azure Active Directory. This would allow us to create
username@rust-lang.orgaccounts (with or without email if we don't need it) and configure SSO using those credentials. It should be possible forsync-teamto then create accounts or tweak permissions as needed.If we don't want to have a separate set of credentials though, and have people authenticate with GitHub, the situation gets tricky. Neither Google nor AD support social login with GitHub for their enterprise directories, so we'd need some sort of "GitHub OAuth to SAML" bridge.
After looking for hours, the only solution Pietro found was Keycloak, an open source authentication platform developed by Red Hat. The platform would allow us to authenticate with GitHub OAuth and expose a SAML IdP out of it. That'd result in a "GitHub -> Keycloak -> Google/AD -> actual application" authentication redirect dance, and critically it's yet another service for us to host and keep secure. We can't use Keycloak directly since it lacks SCIM support, which means we'd need to implement user synchronization for every service we use.