SSO Login via mellon #14538

New Issue

Closed

opened 2025-11-02 11:15:37 -06:00 by GiteaMirror · 2 comments

GiteaMirror commented 2025-11-02 11:15:37 -06:00

Owner

Copy Link

Originally created by @UNICodehORN on GitHub (Jun 2, 2025).

Description

Hey,

I try to get SSO authentication in gitea working, but I am failing.
From my app.ini:

ENABLE_REVERSE_PROXY_AUTHENTICATION = true
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
ENABLE_REVERSE_PROXY_AUTHENTICATION_API = true
REVERSE_PROXY_AUTHENTICATION_USER = X-Remote-User
ENABLE_REVERSE_PROXY_EMAIL = false
ENABLE_REVERSE_PROXY_FULL_NAME = false

From my apache:

<Location />
        AuthType` "Mellon"
        MellonEnable "auth"
        Require valid-user
    MellonSPPrivateKeyFile /etc/apache2/mellon/xxx/mellon.key
    MellonSPCertFile /etc/apache2/mellon/xxx/mellon.cert
    MellonSPMetadataFile /etc/apache2/mellon/xxx/sp-metadata.xml
    MellonIdpMetadataFile /etc/apache2/mellon/xxx/idp-metadata.xml
    MellonEndpointPath "/mellon/"
    MellonUser "username"

    # Übergebe die Umgebungsvariable als HTTP Header an Gitea
    RequestHeader set X-Remote-User %{MELLON_username}e
    </Location>

<Location /mellon>
    AuthType Mellon
    MellonEnable "info"
    Require all granted
    MellonSPPrivateKeyFile /etc/apache2/mellon/xxx/mellon.key
    MellonSPCertFile /etc/apache2/mellon/xxx/mellon.cert
    MellonSPMetadataFile /etc/apache2/mellon/xxx/sp-metadata.xml
    MellonIdpMetadataFile /etc/apache2/mellon/xxx/idp-metadata.xml
</Location>

    ProxyPass / http://localhost:3000/
    ProxyPassReverse / http://localhost:3000/

What happens:

1. Open gitea webui
2. Saml SSO Login is shown
3. Login is performed via SSO
4. SAML Logs show authentication was successful
5. Gitea page is presented but no user is logged in

What part am I missing?

Gitea Version

1.23.8

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Ubuntu

How are you running Gitea?

apt package self-hosted as systemd service

Database

MySQL/MariaDB

Originally created by @UNICodehORN on GitHub (Jun 2, 2025). Description Hey, I try to get SSO authentication in gitea working, but I am failing. From my app.ini: ``` ENABLE_REVERSE_PROXY_AUTHENTICATION = true ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true ENABLE_REVERSE_PROXY_AUTHENTICATION_API = true REVERSE_PROXY_AUTHENTICATION_USER = X-Remote-User ENABLE_REVERSE_PROXY_EMAIL = false ENABLE_REVERSE_PROXY_FULL_NAME = false ``` From my apache: ``` <Location /> AuthType` "Mellon" MellonEnable "auth" Require valid-user MellonSPPrivateKeyFile /etc/apache2/mellon/xxx/mellon.key MellonSPCertFile /etc/apache2/mellon/xxx/mellon.cert MellonSPMetadataFile /etc/apache2/mellon/xxx/sp-metadata.xml MellonIdpMetadataFile /etc/apache2/mellon/xxx/idp-metadata.xml MellonEndpointPath "/mellon/" MellonUser "username" # Übergebe die Umgebungsvariable als HTTP Header an Gitea RequestHeader set X-Remote-User %{MELLON_username}e </Location> <Location /mellon> AuthType Mellon MellonEnable "info" Require all granted MellonSPPrivateKeyFile /etc/apache2/mellon/xxx/mellon.key MellonSPCertFile /etc/apache2/mellon/xxx/mellon.cert MellonSPMetadataFile /etc/apache2/mellon/xxx/sp-metadata.xml MellonIdpMetadataFile /etc/apache2/mellon/xxx/idp-metadata.xml </Location> ProxyPass / http://localhost:3000/ ProxyPassReverse / http://localhost:3000/ ``` What happens: 1. Open gitea webui 2. Saml SSO Login is shown 3. Login is performed via SSO 4. SAML Logs show authentication was successful 5. Gitea page is presented but no user is logged in What part am I missing? ### Gitea Version 1.23.8 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System Ubuntu ### How are you running Gitea? apt package self-hosted as systemd service ### Database MySQL/MariaDB

GiteaMirror added the topic/authenticationtype/bug labels 2025-11-02 11:15:37 -06:00

GiteaMirror closed this issue 2025-11-02 11:15:37 -06:00

GiteaMirror commented 2025-11-02 11:15:38 -06:00

Author

Owner

Copy Link

@charles7668 commented on GitHub (Jun 6, 2025):

Your REVERSE_PROXY_AUTHENTICATION_USER = X-Remote-User setting should be placed under the [security] section in app.ini.

@charles7668 commented on GitHub (Jun 6, 2025): Your `REVERSE_PROXY_AUTHENTICATION_USER = X-Remote-User` setting should be placed under the `[security]` section in `app.ini`.

GiteaMirror commented 2025-11-02 11:15:39 -06:00

Author

Owner

Copy Link

@UNICodehORN commented on GitHub (Jun 6, 2025):

Perfect that was it. Thanks!

[service]
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
ENABLE_REVERSE_PROXY_AUTHENTICATION_API = true
ENABLE_REVERSE_PROXY_EMAIL = false
ENABLE_REVERSE_PROXY_FULL_NAME = false

[security]
REVERSE_PROXY_AUTHENTICATION_USER = X-Remote-User

@UNICodehORN commented on GitHub (Jun 6, 2025): Perfect that was it. Thanks! ``` [service] ENABLE_REVERSE_PROXY_AUTHENTICATION = true ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true ENABLE_REVERSE_PROXY_AUTHENTICATION_API = true ENABLE_REVERSE_PROXY_EMAIL = false ENABLE_REVERSE_PROXY_FULL_NAME = false [security] REVERSE_PROXY_AUTHENTICATION_USER = X-Remote-User ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/authentication type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#14538