SAML 2.0, or OpenID Authentication

Hi Bryan,

We had implemented this in our Hub product, due to user requests, and it ultimately only brought frustration because people felt that they also required group memberships, which is not part of the official spec. We played around with SCIM, but vendors tend to rely on extensions which seems to make the standard less useful because we need to make something really flexible and customizable, which takes time.

Personally I do see some potential for contractors, but the portfolio committee is reluctant and the decision has always been "not now". It would require mixing our groups (Entra, DVLS, etc.) and most customers want simplicity in the RBAC.

We have a lot a requests and items on our roadmap, and the question is what we will remove from our board in order to work on this. Right now I would say that it wont be added in the short term.

We can book a call if you want to discuss this further.

Yes we would need group memberships as that is what would provide folder permissions.

Hello,
We would like to use our SAML 2.0 solution as an authentication method. However, we noticed that your platform currently supports only Microsoft SSO and Okta, which seems quite limiting. In today's environment, most applications and services provide SAML 2.0 integration, as it is widely recognized for its compatibility, scalability, and strong security features.
By supporting SAML 2.0, your platform could cater to a broader range of customers who rely on this standard for seamless authentication across diverse systems. Moreover, it aligns with modern security practices, ensuring flexibility for organizations using hybrid or non-standard identity solutions.
We believe adding SAML 2.0 support would enhance your product's value and usability for a wider audience.

Hi Javad,

Since you are representing your company that does offer an IdP, I can understand your viewpoint.

But for our customers, the reality is that simply integrating IdP using SAML/OIDC is insufficient. The great majority requires group membership as well in order to run our RBAC. Sadly, that part of the standards is nothing but standard and we need to customize for each and every IdP.

Because of this fact, and also because we are driven by our customers' requests, we only implement vendors that are requested by the community.

Best regards,

Hi Maurice,
Thank you for your response and for sharing the challenges regarding group membership and RBAC. I understand that integrating SAML/OIDC can sometimes require additional customization for specific IdPs.
That said, since you are already supporting Microsoft SSO, which uses a protocol very similar to SAML 2.0, I believe the integration of SAML 2.0 could be a smooth addition. Many applications and services today offer SAML 2.0 support, and there are widely accepted standards for integrating it, meaning it doesn't require custom work for each customer. By supporting SAML 2.0, you could provide a flexible solution that works seamlessly with many identity providers, much like how you integrate Microsoft SSO.
I hope this clarifies how SAML 2.0 could be implemented without needing unique customizations for every customer, and I believe this would greatly enhance your platform’s flexibility and compatibility with a broader range of services.
BR
Javad

Hi Javad,

We will let our customers share their thoughts.

Please contact me by Direct Messaging if you feel the need to add to this discussion.

Best regards,

Hi everyone,

I know this thread is old, but I want to bring it up again because this is a huge topic for us.

We host everything ourselves (DVLS on Docker/Linux with Authentik as IdP). For us, data sovereignty is the most important part of security.

We do not use Cloud services like Azure AD, Okta, or Ping. We cannot use them because of privacy concerns regarding the CLOUD Act, Patriot Act, and Five Eyes. We do not trust these government-related institutions with our data. We prefer to host everything on-premise, even if it is more work for us.

Currently, DVLS only supports the big Cloud providers. This stops us from using SSO in our secure environment.

What we need:
We don't need complex features like SCIM right now. We are fine with managing groups manually.

We just need a simple, generic OpenID Connect (OIDC) or SAML option where we can:

1. Enter our own Issuer URL, Client ID, and Secret.
2. Connect it to our self-hosted IdP (like Authentik).
3. Run it on the Docker/Linux version of DVLS.

Could you please give us a quick update on the current status of this request? If you decide to work on this feature, we would be happy to support you as beta testers.

Best regards,
Sebastian

Hi,

I wanted to chime in and say that the following post also requests the same features: https://forum.devolutions.net/topics/50807/duo-sso-integration