references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
openproject/docs/system-admin-guide/authentication/authentication-faq/README.md
T
Christophe Bliard 4352424e7d Update LDAP group sync docs and UI to reflect forward lookup support 
- Remove the memberOf-only restriction from docs, UI help text, and FAQ;
  both reverse lookup (memberOf) and forward lookup (Group member
  attribute) are now supported
- Document the new "Group member attribute" filter field, including when
  to use forward vs reverse lookup
- Clarify that forward lookup is only available via synchronized filters,
  not manually-created synchronized groups
- Rename "Synchronize" button to "Discover LDAP groups" to make clear it
  only runs group discovery (phase 1), not member synchronization
- Document that the Discover LDAP groups button does not sync members;
  point to the rake task for a full manual sync
- Expand troubleshooting: login attribute mismatch, missing/empty
  required attributes
- Replace packaged-installation-specific rake command with
  installation-agnostic form; link to console setup docs
- Clarify Enterprise cloud availability and recommend SAML/SCIM as
  more secure alternatives when LDAP exposure to the internet is
  undesirable
- Fix grammar, double spaces, and stale phrasing throughout
2026-05-22 12:53:31 +02:00

5.7 KiB
Raw Permalink Blame History

sidebar_navigation, description, keywords
sidebar_navigation description keywords
title priority
Authentication FAQ 001
Frequently asked questions regarding authentication authentication FAQ, LDAP, SAML, SSO

Frequently asked questions (FAQ) for authentication

Additional information regarding the use of LDAP from a user management perspective can be found in this FAQ section.

How do I set up OAuth / Google authentication in the Enterprise cloud?

The authentication via Google is already activated in the Enterprise cloud. Users who are invited to OpenProject, should be able to choose authentication via Google. There should be a Google button under the normal user name / password when you try to login.

How can I disable the Google authentication?

Disabling the Google based authentication currently requires you to reach to support[at]openproject.com. We will disable the Google login option for you.

For on premises installations the functionality can be deactivated the same way it was activated.

Can we ensure that passwords are secure / have a high strength?

Password parameters for OpenProject can be configured on each OpenProject environment. Typically passwords require 10+ characters, as well as special characters. Please find the respective instruction here.

How can a user change his/her authentication method?

Users who want to change their authentication method can just be re-invited. Go to Administration -> Users and click on the respective user. Then in the top there is a Send invitation button. This will allow the user to change their authentication method from password to Google and vice versa. They just have to click the link they will get via email and can choose to log in with the new method.

I am an administrator of an on-premises installation of OpenProject. Our users can't login and when I send them a link to login they don't receive it. What can I do?

Probably it has something to do with the configuration of the email server if messages do not arrive. As a workaround, you can first manually set a password for the users and send it to them by protected channels (then the users can log in in any case). In addition, we ask you to check if there are general difficulties with sending emails. There is a possibility to send a test email. If the test email arrives, then the email dispatch from OpenProject works. Otherwise you would have to look in the server logs, whether there is an error displayed when a user is invited again.

Is it possible to only allow authentication via SSO (not via user name / password)?

Yes, for Enterprise on-premises and Community edition there is a configuration option to disable the password login.

Which authentication providers are supported for single sign-on?

We support all authentication providers that support the SAML and OpenID Connect (OIDC) standards, such as Microsoft Entra ID, ADFS, CAS (with the OpenID connect overlay), Azure, Keycloak, Okta.

Note

Please note that single sign-on is an Enterprise add-on and can only be activated for Enterprise cloud and Enterprise on-premises.

Is it possible to use a custom SSO provider (e.g. Keycloak) with the Enterprise cloud edition?

It is possible to use Keycloak, Okta, or other OpenID Connect providers with the user interface (UI) for custom SSO providers. For context: The connection of custom SSO providers is also described here.

I want to connect AD and LDAP to OpenProject. Which attribute for authentication sources does OpenProject use?

You can freely define the attributes that are taken from LDAP sources in the LDAP auth source configuration screen. For group synchronization, OpenProject defaults to reverse lookup via the memberOf attribute on user entries (Active Directory, OpenLDAP with memberof overlay). If your LDAP server does not maintain memberOf on user entries, you can configure forward lookup by setting the Group member attribute on a synchronized filter (e.g. uniqueMember for groupOfUniqueNames, or member for groupOfNames). See LDAP group synchronization for details.

Is there an option to mass-create users in OpenProject via the LDAP?

There's no such option at the moment. However, you can activate the on-the-fly user creation for LDAP authentication. This means: An OpenProject user account will be created automatically when a user logs in to OpenProject via LDAP the first time.

I would like to assign work packages to users from different authentication sources (AD and OpenLDAP). Is this possible without the admin creating groups manually?

OpenProject supports creating groups and staffing them with users based on information found in an LDAP (or AD). This is called LDAP group synchronization. The groups are created based on the name. So theoretically, it should be possible to have a single group that gets staffed by the information found in multiple LDAPs. This scenario has not been tested yet. Therefore, we cannot promise that it will work for sure. There is currently no other option.

Assigning work packages to multiple assignees is expected to be implemented in 2021. Once it is implemented, the source the user is defined in is no longer relevant.

Reference in New Issue View Git Blame Copy Permalink