Configure External Authentication

You can enable users to authenticate using external services such as Google, GitHub, LDAP, OAuth, or OIDC.

Authentication via an identity provider is accomplished using Dex, an OpenID Connect identity hub. Dex can be used to expose a consistent OpenID Connect interface to your applications while allowing your users to authenticate using their existing credentials from various back-ends.

Before You Start

  • Obtain a server certificate and private key for the domain you want to use
  • Set up HTTPS/TLS
  • Connect to aioli-master via HTTPS
  • Ensure you have the necessary credentials for the identity provider you want to enable

How to Configure External Authentication Services

To enable external authentication services, you must configure the dex.config.connectors section in the values.yaml file.

tip icon Tip
Since SSL/TLS certificates are usually based on domain names, you can use the --set loadBalancerHostname=<Your-MLIS-Controller-Domain-Name> Helm option, which allows MLIS to automatically populate the URL values for dex.config.issuer, dex.config.connectors[0].config.redirectURI, dex.config.staticClients[0].redirectURIs, and oidc.idpRecipientUrl with the domain name. This option is valid even if aioli-proxy does not obtain its IP address using --set loadBalancerIP.

Obtain Root Certificate (Optional)

If your external authentication service uses a self-signed certificate, you may obtain its root CA using the following instructions. Otherwise, you can skip this section.

Provider Configuration

  1. Create a values.yaml file.
  2. Add the following dex section. Replace the sample values shown with a connector for the external authentication service you want to enable.

OIDC Configuration

Add the following oidc section in the values.yaml file.

oidc:
  enabled: true
  # allowInsecureIssuerURLContext: false
  autoProvisionUsers: true
  # authenticationClaim: <authentication_claim_attribute> | email (default), preferred_username, name
  # displayNameAttributeName: <display_name_attribute> | empty (default), name, preferred_username, email

Integrate with Off-Spec Providers

If you need to integrate with an off-spec provider, set allowInsecureIssuerURLContext to true.

User Provisioning

  • If autoProvisionUsers is set to true, users are automatically added to the MLIS database upon successful authentication.
  • If autoProvisionUsers is set to false, the platform administrator must explicitly create users in the MLIS database and assign their roles.
    aioli user login admin
    aioli user create user.name@acme.com --remote
    aioli rbac assign-role Admin -u user.name@acme.com

In both cases, users are automatically assigned the Viewer role unless otherwise specified. To see all available roles, use the following command:

aioli rbac list-roles
tip icon Tip

Allow Preferred User Names

By default, MLIS sets the username of the user to the email address that is used to sign in with the identity provider. If the identity provider includes the preferred_username claim in the ID token, you may choose to use the preferred_username as the username by adding authenticationClaim: preferred_username to the oidc section of your values.yaml.

Set Display Name Attribute Name

By default, MLIS leaves the Display Name field blank when a user is added to the database. You may specify which attribute is used to populate the Display Name field by adding oidc.displayNameAttributeName to the oidc section of your values.yaml.

Install Platform

Provide the values.yaml file to the helm install command during installation, using the --values flag.

helm install mlis aioli/aioli --values values.yaml

Remote users can now authenticate using the external service you have configured.

For instructions on how to sign in as a user, see the Connect to Existing Instance guide and select the remote CLI tab.