September GerritMeets - Single Sign On and RefTable backend

[Daniele Sassoli]

As Summer starts to fade is time to get started again with Gerrit Community events!

Registrations are now open at [1], tag along for some new interesting talks.

Ponch will be covering how to implement SSO in your installation.
While I'll go over all the updates to the reftable backend that have happened over the last few months, and why you should switch to it too.

When
30th Sept 2025

Where
2nd floor, SPACES MISSION AND 3RD, San Francisco, 94103

That's right, we've moved away from our usual home and moving up the bay for a special edition.

Looking forward to seeing as many of you there.

[1] https://www.meetup.com/gerritmeets/events/310014604

[Daniele Sassoli]

Hi All,

Just a reminder that the September GerritMeets is fast approaching.
It'll take place in San Francisco on the 30th of Sept and it'll feature talks
about enabling SSO within your oganisation as well as a detail journey
of how Gerrit scales to such big repositories.

You can register at [1].

Looking forward to seeing as many as possible of you there.


[1] https://www.meetup.com/gerritmeets/events/310014604/?eventOrigin=group_upcoming_events

[Alon Bar-Lev]

Hi,

This is an important subject, I won't be able to participate, I would like to share a bit of my experience.

Scale up SSO is not really supported for enterprise as the synchronization is not available.

1. CRITICAL: when a user is disabled in the IDP it should be disabled immediately in Gerrit, all user activity should be rejected (including the git channel).

2. REQUIRED: group synchronization between IDP and Gerrit.

In the past I could implement (2) using LDAP integration and also hack (1) by returning no groups, however, IDPs no longer provide LDAP interface.

Synchronization of data during login is too late and not truly supported by any protocol, and mainly does not handle the user disable requirement that is required to be applied immediately.

SAML plugin is good for the SSO authentication phase, it should be compatible with most implementations out there.

The missing bit is SCIM[1] implementation to allow creation and sync users and groups.

Regards,

Alon

[1] https://securityboulevard.com/2025/06/scim-vs-saml-understanding-the-difference-between-provisioning-and-authentication/

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/57c139d3-e064-4cec-a060-881c54a1c067n%40googlegroups.com.

[Daniele Sassoli]

Hi All,

End of September is fast approaching and with it our first GerritMeets after the
summer months. Join in San Francisco on the 30th of Sept for talks about

enabling SSO within your oganisation as well as a detail journey of how Gerrit
scales to such big repositories.

You can register at [1].

Looking forward to seeing as many as possible of you there.

[1] https://www.meetup.com/gerritmeets/events/310014604

On Wednesday, 3 September 2025 at 23:03:49 UTC+1 alon....@gmail.com wrote:

Hi,

This is an important subject, I won't be able to participate, I would like to share a bit of my experience.

Scale up SSO is not really supported for enterprise as the synchronization is not available.

1. CRITICAL: when a user is disabled in the IDP it should be disabled immediately in Gerrit, all user activity should be rejected (including the git channel).

2. REQUIRED: group synchronization between IDP and Gerrit.

 

Hi Alon, feel free to create issues at [2] for the above points. Contributions are also welcome.

[2] https://issues.gerritcodereview.com/issues