onedev/server

#237 Convert Builtin users to SSO users

Closed

Activities

Sebastien Collier opened 3 years ago

When initially setting up OneDev I created uses for testing purposes. Now I have enabled SSO, but there is no way to convert users.

When attempting to SSO with an existing user, it says that account already exists, it would be great if this converted users if they choose to SSO in.

Robin Shen commented 3 years ago

Converting an existing user to SSO automatically will impose security issue: assume a hacker wants to access private projects of a built-in user, he can register a user with same name on SSO source, and login via SSO to take over the built-in user.

Robin Shen commented 3 years ago

Instead, you may convert built-in user to SSO user by running below SQL on the database:

update o_User set o_password='external_managed', o_SSO_CONNECTOR = '<SSO_PROVIDER_NAME>', o_SSO_SUBJECT = '<SSO_SUBJECT_NAME>' where o_name='<LOGIN_NAME>';

Here:

<SSO_PROVIDER_NAME> should be replaced by name of the SSO provider you defined in OneDev
<SSO_SUBJECT_NAME> should be replaced by subject name returned from SSO provider. In GitHub it is the same as login name. For other SSO provider, you may login with a sample account and check the value
<LOGIN_NAME> should be replaced with name of the account you want to convert from internal authenticated to SSO authenticated

Sebastien Collier commented 3 years ago

Hey, you're totally right about the security concern. Thank you very much for providing that info on how to manually convert a user!

Robin Shen changed state to 'Closed' 3 years ago

Previous Value	Current Value
Open	Closed

Type	Improvement
Priority	Normal
Assignee	Robin Shen

Issue Votes (0)

Watchers (3)

Reference

onedev/server#237