From ArchWiki
Jump to navigation Jump to search

Migrating to a Single Sign On infrastructure

Currently users have to register at every webservice we have, this sucks. The idea is to move to a single source of truth for our user management.


Move to Keycloak as identity and user management


Service SAML OpenID-connect Alternative Allowed
Grafana supported Devops
BBS not supported not supported many All
Zabbix bug report Devops
Mediawiki extension extension All
AUR not supported not supported All, with special status
Patchwork django plugin? django openid plugin gitlab Staff
Archweb django plugin? django openid plugin Staff
Mailman bug report All
Kanboard not supported kind of gitlab Staff
Flyspray reverse proxy gitlab Staff
Gitlab supported All
Matrix blog article Staff
Quassel not supported? not supported Staff
Email (dovecot) => unix user pam script?? Staff
SSH/unix users pam script? Staff


  • How to handle existing users from services?
  • How do we provision our own users?

Migration for large user databases

  • AUR has required emails, but no concept of verified email. We need users to verify their email on the AUR to have a reliable datapoint to merge with.
    • => Implement email verification.
  • BBS has required, verified emails.
  • Mailman obviously requires verified emails.
  • Wiki:
    • email verification is required for editing via $wgEmailConfirmToEdit [1]
    • coordinate potential changes to the wiki settings and user notifications with the wiki administrators