Skip to main content
Quick navigation

User Authentication

To configure platform authentication you have several choices.

Configure Local Users

Into platform configuration file or from environment variables, configure authorized connection users.

Configuration example

auth:
local-users:
- email: admin@demo.dev
password: adminpwd
- email: user@demo.dev
password: userpwd

Same configuration from environment variables :

CDK_AUTH_LOCAL-USERS_0_EMAIL="admin@demo.dev"
CDK_AUTH_LOCAL-USERS_0_PASSWORD="adminpwd"
CDK_AUTH_LOCAL-USERS_1_EMAIL="user@demo.dev"
CDK_AUTH_LOCAL-USERS_1_PASSWORD="userpwd"

Configure SSO to an LDAP or Oauth2 Identity Provider (enterprise and team plans)

Detail list of properties here

LDAP server

Note : For example purpose the LDAP used is from zflexldap

sso:
ldap:
- name: 'default' # Custom name for ldap connection
server: 'ldap://www.zflexldap.com:389' # LDAP server URI with port
managerDn: 'cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com' # Bind DN
managerPassword: 'zflexpass' # Bind Password
search-base: 'ou=users,ou=guests,dc=zflexsoftware,dc=com' # Base DN to search for users
search-filter: '(uid={0})' # Search filter

Note : If your LDAP server is Active directory, and you get "invalid user" error in Conduktor Platform when trying to log-in. Try setting your search-filter to the below in your platform-config.yaml

search-filter: '(sAMAccountName={0})'

Or from environment variables :

CDK_SSO_LDAP_0_NAME="default"
CDK_SSO_LDAP_0_SERVER="ldap://www.zflexldap.com:389"
CDK_SSO_LDAP_0_MANAGERDN="cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com"
CDK_SSO_LDAP_0_MANAGERPASSWORD="zflexpass"
CDK_SSO_LDAP_0_SEARCH-BASE="ou=users,ou=guests,dc=zflexsoftware,dc=com"
CDK_SSO_LDAP_0_SEARCH-FILTER="(uid={0})"

LDAPS

For LDAP over SSL (LDAPS) connection you have to provide a trusted certificate to conduktor-platform using Java JKS TrustStore file. See SSL/TLS configuration for more details.

Troubleshot LDAPS issues
Download the script sso-debug.sh and run it:

If you encounter an error that looks like this:

15:09:15.276 DEBUG i.m.s.l.LdapAuthenticationProvider - Starting authentication with configuration [default]
15:09:15.276 DEBUG i.m.s.l.LdapAuthenticationProvider - Attempting to initialize manager context
15:09:15.279 DEBUG i.m.s.l.LdapAuthenticationProvider - Failed to create manager context. Returning unknown authentication failure. Encountered ldap.conduktor.io:1636

In order to confirm your configuration and figure out if the issue is SSL-related, apply the following procedure:

  1. Set the property sso.ignoreUntrustedCertificate to true
sso:
ignoreUntrustedCertificate: true # < ---- THIS
ldap:
- name: default
server: "ldaps://domain:636"
...
  1. Run the script platform-sso-debug.sh
  2. Try to authenticate to the platform
  3. Confirm the message you have looks like this
15:37:03.297 DEBUG i.m.s.l.LdapAuthenticationProvider - Starting authentication with configuration [default]
15:37:03.297 DEBUG i.m.s.l.LdapAuthenticationProvider - Attempting to initialize manager context
15:37:03.336 WARN nl.altindag.ssl.SSLFactory - UnsafeTrustManager is being used. Client/Server certificates will be accepted without validation.
15:37:03.563 DEBUG i.m.s.l.LdapAuthenticationProvider - Manager context initialized successfully
15:37:03.563 DEBUG i.m.s.l.LdapAuthenticationProvider - Attempting to authenticate with user [test]
15:37:03.586 DEBUG i.m.s.l.LdapAuthenticationProvider - User not found [test]

From there, either leave the ignoreUntrusted or add the certificate to the truststore.
See SSL/TLS configuration for more details.

Oauth2 Identity Provider

Auth0

Configure a new Application on Auth0 :

  • Step 1: create regular web application

  • Step 2: get client Id/Secret and domain

  • Step 3: configure callback url

Note : Conduktor platform expose a callback URI for Oauth2 authentication flow. This URL is defined as http://<platform hostname>/oauth/callback/<oauth2 config name>.

  • Step 4: save changes

Platform configuration : Add the following yaml fragment to your input platform-config.yml file.

sso:
oauth2:
- name: 'auth0'
default: true
client-id: '<auth0 app client id>' # Get from step2 - 2
client-secret: '<auth0 app client secret>' # Get from step2 - 3
openid:
issuer: '<auth0 app domain>.auth0.com' # Get from step2 - 1

Or from environment variables :

CDK_SSO_OAUTH2_0_NAME="auth0"
CDK_SSO_OAUTH2_0_DEFAULT=true
CDK_SSO_OAUTH2_0_CLIENT-ID="<auth0 app client id>"
CDK_SSO_OAUTH2_0_CLIENT-SECRET="<auth0 app client secret>"
CDK_SSO_OAUTH2_0_OPENID_ISSUER="<auth0 app domain>.auth0.com"

Okta

Configure a new Application on Okta :

  • Step 1: create OpenId Connect web application

  • Step 2: configure callback url

Note: Conduktor platform expose a callback URI for Oauth2 authentication flow. This URL is defined as http://<platform hostname>/oauth/callback/<oauth2 config name>.

  • Step 3: configure app assignment and save changes

  • Step 4: Get client Id/Secret

Platform configuration : Add the following yaml fragment to your input platform-config.yml file.

sso:
oauth2:
- name: 'okta'
default: true
client-id: '<okta app client id>' # Get from step4 - 8
client-secret: '<okta app client secret>' # Get from step4 - 9
openid:
issuer: '<okta domain>.okta.com' # Your okta domain

Or from environment variables :

CDK_SSO_OAUTH2_0_NAME="okta"
CDK_SSO_OAUTH2_0_DEFAULT=true
CDK_SSO_OAUTH2_0_CLIENT-ID="<okta app client id>"
CDK_SSO_OAUTH2_0_CLIENT-SECRET="<okta app client secret>"
CDK_SSO_OAUTH2_0_OPENID_ISSUER="<okta domain>.okta.com"

Keycloak

Configure a new client on Keycloak :

  • Step 1: create new OpenId Connect client

  • Step 2: Select Client auth flows

  • Step 3: Configure redirect url

Note : Conduktor platform expose a callback URI for Oauth2 authentication flow. This URL is defined as http://<platform hostname>/oauth/callback/<oauth2 config name>.

  • Step 4: Get client secret

Platform configuration : Add the following yaml fragment to your input platform-config.yml file.

sso:
oauth2:
- name: 'keycloak'
default: true
client-id: '<keycloak client id>' # Created step 1 - 2
client-secret: '<keycloak client id>' # Get from step 4 - 5
openid:
issuer: 'http://<host(:port)>/realms/<realm name>' # Could be get from the OpenI Endpoint configuration (.well-known) output on Realm settings page.

Or from environment variables :

CDK_SSO_OAUTH2_0_NAME="keycloak"
CDK_SSO_OAUTH2_0_DEFAULT=true
CDK_SSO_OAUTH2_0_CLIENT-ID="<keycloak client id>"
CDK_SSO_OAUTH2_0_CLIENT-SECRET="<keycloak client secret>"
CDK_SSO_OAUTH2_0_OPENID_ISSUER="http://<host(:port)>/realms/<realm name>"

Azure

Configure new application on MS Azure

  • Step 1: Create a new application in App registrations

  • Step 2: Name the application with a relevant name

  • Step 3: Create a new client secret. Keep these details secret.

  • Step 4: Define the callback URL. Either use the full domain you will use to host the application, or localhost

In your application summary, you can easily find the tenant ID of your organization in MS Azure. Replace the {tenantid} in the below configuration for openid. Use the application ID as the client-id, and the client secret you created earlier as client-secret

sso:
oauth2:
- name: 'azure'
default: true
client-id: ${AZURE_APPLICATION_ID}
client-secret: ${AZURE_CLIENT_SECRET}
openid:
issuer: https://login.microsoftonline.com/{tenantid}/v2.0

Or from environment variables :

CDK_SSO_OAUTH2_0_NAME="azure"
CDK_SSO_OAUTH2_0_DEFAULT=true
CDK_SSO_OAUTH2_0_CLIENT-ID="${AZURE_APPLICATION_ID}"
CDK_SSO_OAUTH2_0_CLIENT-SECRET="${AZURE_CLIENT_SECRET}"
CDK_SSO_OAUTH2_0_OPENID_ISSUER="https://login.microsoftonline.com/{tenantid}/v2.0"

Note : do not use the "Secret ID" of the client secret as the client-id. You must use the application ID.

Google

First of all, you need to create an application on the OAuth consent screen tab of you Google Console. The scopes needed are email, profile, and openid.

To restrict the access to your internal workspace, you need to check the Internal user type.

When it's done, you will create new credentials on the Credentials tab. You can select OAuth client ID.

Enter the name you want, and the application type and redirect URI as below:

The callback should be like: http://<platform hostname>/oauth/callback/<OAuth2 config name>

If you use another hostname than localhost, you may need to start your callback by https.

When you click on Create, you get you credentials. We suggest you to download the JSON file and keep it safe.

Now you have everything you need to setup the platform. Within your platform-config.yaml file, you can add the following block:

sso:
oauth2:
- name: 'google'
default: true
client-id: <your_google_id>
client-secret: <your_google_secret>
openid:
issuer: 'https://accounts.google.com'

Amazon Cognito

The first step is to create a user pool on Cognito. You can go through different steps with default properties. At step 5, you need to choose a name for your user pool and your application.

We also suggest you to check the hosted UI and enter the domain you want.

You can check the Confidential client property to get credentials.

You will be able to see those credentials at the bottom of "App Integration", in your user pool. If you don't have a client id, you can "create app client" , choosing confidential client and give an app client name.

In the callback property, type http://<platform hostname>/oauth/callback/<OAuth2 config name>, and select email, profile, and openid as OpenID client scopes, in the Advanced app client settings section.

If you use another hostname than localhost, you may need to start your callback by https

Finally, click on Create. You can get your application credentials here:

Now you have everything you need to setup the platform. Within your platform-config.yaml file, you can add the following block:

sso:
oauth2:
- name: 'cognito'
default: true
client-id: <cognito client ID>
client-secret: <cognito client secret>
openid:
issuer: 'https://cognito-idp.<your aws region code>.amazonaws.com/<your user pool ID>