September GerritMeets - Single Sign On and RefTable backend

47 views
Skip to first unread message

Daniele Sassoli

unread,
Aug 7, 2025, 1:34:20 PMAug 7
to Repo and Gerrit Discussion
As Summer starts to fade is time to get started again with Gerrit Community events!

Registrations are now open at [1], tag along for some new interesting talks.

Ponch will be covering how to implement SSO in your installation.
While I'll go over all the updates to the reftable backend that have happened over the last few months, and why you should switch to it too.

When
30th Sept 2025

Where
2nd floor, SPACES MISSION AND 3RD, San Francisco, 94103

That's right, we've moved away from our usual home and moving up the bay for a special edition.

Looking forward to seeing as many of you there.

[1] https://www.meetup.com/gerritmeets/events/310014604

Daniele Sassoli

unread,
Sep 3, 2025, 12:27:40 PM (4 days ago) Sep 3
to Repo and Gerrit Discussion
Hi All,

Just a reminder that the September GerritMeets is fast approaching.
It'll take place in San Francisco on the 30th of Sept and it'll feature talks
about enabling SSO within your oganisation as well as a detail journey
of how Gerrit scales to such big repositories.

You can register at [1].

Looking forward to seeing as many as possible of you there.


[1] https://www.meetup.com/gerritmeets/events/310014604/?eventOrigin=group_upcoming_events

Alon Bar-Lev

unread,
Sep 3, 2025, 6:03:49 PM (3 days ago) Sep 3
to Daniele Sassoli, Repo and Gerrit Discussion, Fabio Ponciroli
Hi,

This is an important subject, I won't be able to participate, I would like to share a bit of my experience.

Scale up SSO is not really supported for enterprise as the synchronization is not available.
1. CRITICAL: when a user is disabled in the IDP it should be disabled immediately in Gerrit, all user activity should be rejected (including the git channel).
2. REQUIRED: group synchronization between IDP and Gerrit.

In the past I could implement (2) using LDAP integration and also hack (1) by returning no groups, however, IDPs no longer provide LDAP interface.
Synchronization of data during login is too late and not truly supported by any protocol, and mainly does not handle the user disable requirement that is required to be applied immediately.

SAML plugin is good for the SSO authentication phase, it should be compatible with most implementations out there.
The missing bit is SCIM[1] implementation to allow creation and sync users and groups.

Regards,
Alon



--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/57c139d3-e064-4cec-a060-881c54a1c067n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages