Redmine

Daniil Demekhin wrote:

Hello

I use Redmine 5.0.5.stable

I need to implement single sign-in authorization. LDAP authentication is already configured and working, but would like users to be able to avoid entering login and password. Redmine runs on apache24 (Ubuntu server)

To implement single sign-on for Redmine 5.0.5 with existing LDAP authentication on Apache 2.4, the most effective method is leveraging Apache's mod_auth_gssapi module for Kerberos/SPNEGO authentication. This allows users, especially those in a Windows domain, to automatically log into Redmine without re-entering credentials. You'll need to configure Kerberos on your Ubuntu server, create a service principal name (SPN) and keytab file on your KDC (e.g., Active Directory), and then set up mod_auth_gssapi in your Apache virtual host to extract the authenticated username. Finally, install a Redmine plugin like redmine_http_auth to read this username from an HTTP header (e.g., X-Remote-User) and integrate it with your existing Redmine LDAP authentication source, ensuring seamless user provisioning and access based on their LDAP details.

Hi Daniil Evdokimov,

To enable Single Sign-On (SSO), you will need to set up an Identity Provider (IdP), such as Authelia or Keycloak, which will be connected to your LDAP. Redmine will then delegate authentication to this IdP through an appropriate SSO protocol.

For Redmine, this is typically achieved by installing and configuring a plugin that supports OpenID Connect or SAML. For example, if you choose to use Keycloak with SAML, you may refer to the following step-by-step guide:
https://www.nicksopenworld.com/configure-redmine-sso-with-keycloak-using-saml/

Once configured, Redmine will no longer manage passwords directly, and authentication will be handled entirely by your Identity Provider.