Skip to main content

Advanced SSO configuration

Multiple identity providers​

To configure multiple identity providers:

  • Configure each provider using the same steps as above, but with the appropriate slot name (for example provider1, provider2)
  • Make sure to set the INFRAHUB_SECURITY_OIDC_PROVIDERS or INFRAHUB_SECURITY_OAUTH2_PROVIDERS variable to include all configured providers
# Configuration for first provider
export INFRAHUB_OIDC_PROVIDER1_*

# Configuration for second provider
export INFRAHUB_OIDC_PROVIDER2_*

# Then enable the providers
export INFRAHUB_SECURITY_OIDC_PROVIDERS='["provider1", "provider2"]'

Group mapping​

Infrahub can automatically assign users to groups based on information from your identity provider.

warning

Infrahub won't automatically create groups based on identity provider data. You must create the corresponding groups in Infrahub first.

Step 1: Configure group claims in your identity provider​

Configure your identity provider application to include group information in the authentication tokens sent to Infrahub.

info

Refer to your provider's documentation for instructions on "group claims" or "configuring OAuth2/OIDC group mappings".

Step 2: Create corresponding groups in Infrahub​

Create groups in Infrahub that match the groups sent by your identity provider.

danger

Some providers send group IDs instead of display names. Create groups in Infrahub with the exact same IDs your provider sends, and use the label field to store human-friendly names.

Follow these steps to create groups:

  1. Navigate to Admin > Users and Permissions > Groups
  2. Click + Create Account Group
  3. Enter the exact name of the group as sent by your identity provider
  4. Optionally, add a description and assign permissions
  5. Click Save
  6. Repeat for each group you want to map
info

Every SSO authentication attempt is logged in the Infrahub server logs. These logs contain detailed information about the groups received from your identity provider.

For example:

SSO user authenticated  [infrahub] app=infrahub.api body={'user_name': 'Otto the otter', 'groups': ['Admin Otter']}
success

To confirm group mapping is working, log in through SSO and check your user Profile in Infrahub. You should see the groups assigned based on your identity provider's data.

Step 3: Configure default group assignment (optional)​

If your identity provider cannot provide group information, configure a default group for SSO users.

warning

You must create this default group in Infrahub before configuring it here.

# Set the default group for SSO users
export INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP='default-group'
success

Now that group mapping is configured, manage user permissions in Infrahub by assigning permissions and roles to these groups.