Support for SSO authentication with user data sync from LDAP #51576
Description
Is your feature request related to a problem? Please describe.
One of the common enterprise application integration scenarios is using SSO with user login already populated in HTTP request header (i.e. X-Remote-User) by reverse proxy or in environment variable (like REMOTE_USER in apache) and then syncing authenticated user data from LDAP (binding to LDAP with internal system account with R/O permissions in LDAP not user credentials).
Describe the solution you'd like
(1) Allow to authenticate user using HTTP request header with configurable name. When enabled just use user login specified there as already authenticated in ERPnext (autocreate such account if not already exist in ERPnext with default/minimal permissions and setup new session if not already present).
(2) Allow LDAP integration to synchronize specified user state and data (binding to LDAP with internal credentials defined in application configuration - just for reading/searching for users and their data in configured LDAP base) and:
(2.1) Synchronize given user data from LDAP after new session creation for this user (SSO login).
(2.2) Add background job (cron like) to synchronize all ERPnext users data from LDAP to ERPnext (to create/update/disable users data to keep users state/data in sync with LDAP). ERPnext configuration parameter with LDAP filter for "all active ERPnext users" should be used and when existing user in ERPnext DB is not found in LDAP with given base and "all active ERPnext users" filter (i.e. user was disabled in LDAP) then such account should be disabled in ERPnext.
Describe alternatives you've considered
Didn't find such solution in forum with https://discuss.frappe.io/search?q=sso
Additional context
Similar solution already exist in other enterprise open source apps like Nextcloud or Znuny.