RedmineShop
Join waitlist
Tutorials

Redmine SAML Plugin for Self-Hosted Teams: What to Check Before You Buy

RRedmineShop
Redmine SAML and OIDC checklist

Why SAML and OIDC matter for Redmine

Many Redmine installations start with local passwords because it is simple. That works for a small internal instance, but it becomes painful once a team needs centralized access control, offboarding, compliance review, or company-wide MFA. A Redmine SAML plugin or OIDC plugin should reduce that operational risk without forcing you to move Redmine to a hosted SaaS product.

1. Confirm your Redmine and Ruby versions first

Before choosing a plugin, record your exact Redmine, Ruby, Rails, database, and operating system versions. Most authentication bugs are compatibility bugs: the plugin loads in one Redmine release, then fails after an upgrade because Rails middleware or session handling changed. A serious commercial plugin should publish a compatibility matrix and explain which Redmine releases are tested.

2. Decide whether you need SAML, OIDC, or both

SAML 2.0 is common in enterprise identity providers and older corporate environments. OIDC is common for Google Workspace, Microsoft Entra ID, Keycloak, Authentik, and modern identity stacks. If your company may change identity providers later, buying a plugin suite that supports both standards is safer than hard-coding one provider.

3. Check group and role mapping

Single sign-on is only half the work. Redmine still needs project memberships, roles, and admin permissions. Look for group mapping from the identity provider into Redmine groups or roles. At minimum, the plugin should make it clear what happens when a user is removed from an IdP group.

4. Understand provisioning behavior

Just-in-time user provisioning can save admin time, but it should be explicit. Confirm whether new users are created automatically, whether email domains are restricted, and whether default groups are assigned. For sensitive installations, automatic provisioning without domain or group controls can be a security problem.

5. Plan rollback before enabling SSO

Never enable SSO on a production Redmine instance without a rollback path. Keep a local administrator account, test login in a private browser session, and document how to disable SSO if the identity provider configuration is wrong.

RedmineShop status

RedmineShop is building the SSO & Access Suite for self-hosted Redmine teams. The first release is planned around SAML/OIDC, group mapping, and clear compatibility documentation. Join the waitlist if you want early access and launch pricing.