Feature Preview: Mapping OIDC Groups to Teams
Mon Mar 20, 2023 by 13tm3nt3r
The upcoming release of Gitea 1.19 adds the ability to map OIDC groups to organization teams. Gitea is often used in combination with the Azure Active Directory for authentication. Now, with OIDC group mapping you can map a user’s Active Directory groups to Gitea organization teams. This allows for a more centralized user access management for repositories and organizations.
To use this feature, you’ll need to create an Azure Active Directory app, configure Gitea to use that app, and then map Azure Active Directory groups to Gitea teams. This post will walk you through the steps to get this working.
Below I’ll explain all the required steps to achieve the mapping of Azure user groups to different teams in Gitea, without having on-premise AD.
Create an application in App Registrations. You don’t need the
Redirect URI at this point.
As you can see, there is one Enterprise Application that has been created linked to this App Registration.
In the registered app, in the Authentication section, enable public client flows:
In the registered app, in the Certificates & secrets section, create a new secret and SAVE the Secret ID given, as this will disappear when you close this section.
In the registered app, in the Token configuration section, click on Add groups claim and select the option that will assign only groups that are assigned to the application (this step will be completed in the step 7).
In the registered app, in the API permissions section, add a delegated permission called
Group.Read.All. You will have to grant admin consent.
In the Enterprise Application created, in Properties, change the Assignment requirement? option to YES. This will allow every user to sign in or register without admin permission.
In the Enterprise Application created, in Users and groups section, add the group/groups that you want to map to teams in Gitea. In our case, the group is called
In the site configuration, under Authentication Sources section, create a new OAuth2 authentication source.
Give it an Authentication Name and use OpenID Connect as the OAuth2 Provider.
Application (client) ID of the registered app from Azure and put it in the Client ID (Key) option.
Use the secret that you created previously and put it in the Client Secret option.
OpenID Connect Auto Discovery URL option, go to Azure and in the registered app Overview, click on
Endpoints and copy the OpenID Connect metadata document.
Additional Scopes you can add
openid email profile.
Claim name providing group names for this source., type
And finally, in
Map claimed groups to Organization teams., write the Object ID of the group that you want to map from Azure (in our case, the Object ID of the Azure group
ce-operations), the name of the organization where you want users to be added automatically (in our case
creamteam), and the team of the organization (in our case
Developers). Note: the organization and team need to be already created.
Update the Authentication Source and test it with OpenID login option. Your user should now be a member of the organization and team.
Finally, a big thank you to KN4CK3R for his work on the PR that made this possible.
Hope this helps anyone that wants to use SSO with Azure and add automatically their users to an organization team 😃. If you do use this, and find any issues, please feel free to open up an issue on the Gitea issue tracker.