Skip to main content

Configuring Single sign-on

In Infrahub you can configure SSO using either Open ID Connect (OIDC) or can use OAuth2.

We can enable 3 different identity providers in Infrahub:

  • PROVIDER1
  • PROVIDER2
  • GOOGLE

PROVIDER1 and PROVIDER2 can be used to configure any identity provider that supports OAuth2 or Open ID Connect (OIDC). GOOGLE can be used if you are using Google Workspace as your identity provider, the main difference with the other providers is that GOOGLE has some predefined configuration settings, which limits the amount of configuration you have to do yourself.

When configuring Infrahub, setting up OAuth2 or OIDC is fairly similar, though there are some slight differences with regards to the settings you need to have in place. Both options are provided below.

Setting up OAuth2 in Infrahub

In this case we are going to setup PROVIDER1 as an OAuth2 identify provider in Infrahub. Configuring the first provider with OAuth2 uses environment variables with the INFRAHUB_OAUTH2_PROVIDER1_ prefix. For PROVIDER2 and GOOGLE the prefixes are INFRAHUB_OAUTH2_PROVIDER2_ and INFRAHUB_OAUTH2_GOOGLE_.

VariableTypeDescriptionMandatory
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_IDTextThe client ID from the IDPtrue
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRETTextThe client secret from the IDPtrue
INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URLUrlThe authorization URL on the IDPtrue
INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URLUrlThe token URL on the IDPtrue
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URLUrlThe userinfo URL on the IDPtrue
INFRAHUB_OAUTH2_PROVIDER1_SCOPESArray[Text]The scopes to request from the IDPfalse
INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABELTextDisplay label for the provider on the login screenfalse
INFRAHUB_OAUTH2_PROVIDER1_ICONTextMDI icon to display on the login screen (ex: mdi:key)false
note

A difference between this provider and one for Google is that the Google provider only requires client_id and client_secret to be set, other than that they are currently identical.

Aside from the display label and icon all the other entries will be provided by your OAuth2 provider.

An example of what the configuration could look like:

export INFRAHUB_OAUTH2_PROVIDER1_CLIENT_ID=infrahub-sso
export INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRET=edPf4IaquQaqns7t3s95mLhKKYdwL1up
export INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URL=http://localhost:8180/realms/infrahub/protocol/openid-connect/auth
export INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URL=http://localhost:8180/realms/infrahub/protocol/openid-connect/token
export INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URL=http://localhost:8180/realms/infrahub/protocol/openid-connect/userinfo
export INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABEL="Internal Server (Keycloak)"
export INFRAHUB_OAUTH2_PROVIDER1_ICON="mdi:security-lock-outline"

This could be the configuration of a Keycloak provider, please refer to the documentation of your intended provider for guides on how to create a client and access the required information.

Activating the OAuth2 provider

In order to activate the above provider we need to add it to the list of active OAuth2 providers.

export INFRAHUB_SECURITY_OAUTH2_PROVIDERS='["provider1"]'

Alternatively if you are setting up multiple providers each with their different settings:

export INFRAHUB_SECURITY_OAUTH2_PROVIDERS='["provider1","provider2"]'

Setting up OIDC in Infrahub

In this case we are going to setup PROVIDER1 as an OIDC identify provider in Infrahub. Configuring the first provider with OIDC uses environment variables with the INFRAHUB_OIDC_PROVIDER1_ prefix. For PROVIDER2 and GOOGLE the prefixes are INFRAHUB_OIDC_PROVIDER2_ and INFRAHUB_OIDC_GOOGLE_.

VariableTypeDescriptionMandatory
INFRAHUB_OIDC_PROVIDER1_CLIENT_IDTextThe client ID from the IDPtrue
INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRETTextThe client secret from the IDPtrue
INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URLUrlThe discovery URL on the IDPtrue
INFRAHUB_OIDC_PROVIDER1_SCOPESArray[Text]The scopes to request from the IDPfalse
INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABELTextDisplay label for the provider on the login screenfalse
INFRAHUB_OIDC_PROVIDER1_ICONTextMDI icon to display on the login screen (ex: mdi:key)false
note

A difference between this provider and one for Google is that the Google provider only requires client_id and client_secret to be set, other than that they are currently identical.

Aside from the display label and icon all the other entries will be provided by from your OIDC provider.

An example of what the configuration could look like:

export INFRAHUB_OIDC_PROVIDER1_CLIENT_ID=infrahub-sso
export INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRET=edPf4IaquQaqns7t3s95mLhKKYdwL1up
export INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URL=http://localhost:8180/realms/infrahub/.well-known/openid-configuration
export INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABEL="Internal Server (Keycloak)"
export INFRAHUB_OIDC_PROVIDER1_ICON="mdi:security-lock-outline"

This could be the configuration of a Keycloak provider, please refer to the documentation of your intended provider for guides on how to create a client and access the required information.

Activating the OIDC provider

In order to activate the above provider we need to add it to the list of active OIDC providers.

export INFRAHUB_SECURITY_OIDC_PROVIDERS='["provider1"]'

Alternatively if you are setting up multiple providers each with their different settings:

export INFRAHUB_SECURITY_OIDC_PROVIDERS='["provider1","provider2"]'

Configuring the redirect URI in the identity provider

Within your identity provider when configuring the client you will need to configure a redirect URI that defines an allowed URI. The convention used for Infrahub is that it should point back to the Infrahub host on /auth/{protocol}/{provider_name}/callback.

If we were to setup the above provider on a server called infrahub.example.com to use OIDC the redirect URI would be:

  • https://infrahub.example.com/auth/oidc/provider1/callback

If we instead use OAuth2 the redirect URI would be:

  • https://infrahub.example.com/auth/oauth2/provider1/callback
note

If you get the redirect URI incorrect this will typically be displayed as an error message on the IDP after Infrahub has redirected the session there.

Mapping users to groups within Infrahub

After signing in Infrahub will try to collect the groups that the user is member of. The current requirement around this is that the identity provider has to return this information as a list of strings within a "groups" field in the payload returned from the USERINFO_URL. This is not something that is supported using the Google provider today but should be configurable in other identity providers such as Keycloak.

For any group that is returned by the IDP provider Infrahub will add the user to that group provided that the group in question exists within Infrahub. I.e. Infrahub will not create the groups.

If the identity provider cannot provide a list of groups to assign users to, a default group to use can be configured by using the INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP environment variable. This setting's value must match the name of group that exists within Infrahub, as stated before, the group will not be automatically created.