Authentication
This section provides details about various authentication providers supported by CloudCasa, including the Helm parameters that need to be used for each provider.
Note that even after configuring a specific auth provider, CloudCasa will not allow everyone to log in. Instead, you
will need to explicitly set initial “allowed” users and/or groups using the Helm parameters auth.allowedUsers and
auth.allowedUserGroups. Only these users or users in these groups will be able to log in directly. All other users
will need to be explicitly invited by another user.
In addition to the above params, you will also need to set one or both of: auth.siteadminUsers and auth.siteadminUserGroups.
Site admin users have additional permissions, such as the ability to see License details in the UI.
Tip
When passing Helm parameters via the command line with –set, remember to escape commas and other shell special
characters with “" (e.g. "OU=Accounts\,DC=testlab\,DC=local").
Local provider
The “local” provider allows users to be configured directly in CloudCasa without having to use any external provider.
Here is a sample values.yaml snippet that configures two users:
auth:
...
siteadminUsers: <EMAIL1>
allowedUsers: <EMAIL1>,<EMAIL2>
local:
enabled: true
users:
- username: <USER1>
email: <EMAIL1>
password: <PASSWORD1>
- username: <USER2>
email: <EMAIL2>
password: <PASSWORD2>
Users can now login with the emails configured above. Please note that you still need to set the parameters
auth.allowedUsers and auth.siteadminUsers to allow access, as shown above.
Warning
This mechanism is only meant to be used for testing and POC purposes. An external authentication provider should be used in production.
LDAP
Helm Parameters
auth.ldap.host- LDAP server hostauth.ldap.insecureNoSSL- Required if the LDAP host is not using TLS (port 389)auth.ldap.insecureSkipVerify- If a custom certificate is not provided, this option can be used to skip TLS verification.auth.ldap.startTLS- When set to “true”, “ldap://” is used instead of “ldaps://” in order to connect to the server.auth.ldap.rootCAData- Certificate file content. Must be base64 encoded.auth.ldap.bindDN- DN for an application service account. The connector uses this value to search for users and groups.auth.ldap.bindPW- Password for an application service account(optional)
auth.ldap.usernamePrompt- Prompt that is used in the login screenauth.ldap.userSearch.baseDN- Base DN for user searchauth.ldap.userSearch.username- Username attributeauth.ldap.userSearch.idAttr- User ID attributeauth.ldap.userSearch.emailAttr- User email attributeauth.ldap.userSearch.nameAttr- User display name attribute(optional)
auth.ldap.userSearch.filter- Optional filter for user searchauth.ldap.groupSearch.baseDN- Base DN for group searchauth.ldap.groupSearch.nameAttr- Group name attribute(optional)
auth.ldap.groupSearch.filter- Optional filter for group search. Default is(objectClass=groupOfNames).auth.ldap.groupSearch.userMatchers- List of field pairs that are used to match a user to a group. The user entry’s attribute must match a group entry’s attribute.auth.ldap.groupSearch.userMatchers.userAttr- User entry’s attributeauth.ldap.groupSearch.userMatchers.groupAttr- Group entry’s attribute
Note
When using Active Directory, auth.ldap.groupSearch.filter should be set to (objectClass=group).
When using OpenLDAP, auth.ldap.groupSearch.filter should be left at the default.
OIDC
In order to set up the OIDC connector, follow these steps:
Go to the OIDC provider page and generate a pair of credentials.
In the OIDC provider page, update redirect/callback URIs with CloudCasa Dex domain: “https://<CLOUDCASA-ENVOY-EXTERNAL-IP>/dex/callback”.
Enable and configure the OIDC connector in “values.yaml”.
Helm Parameters:
auth.oidc.clientID- OIDC credentials client IDauth.oidc.clientSecret- OIDC credentials client secretauth.oidc.issuer- OIDC issuer URL. The value must be the same as theissuervalue from “<OIDC-DOMAIN>/.well-known/openid-configuration”.(optional)
auth.oidc.userIDClaim- Name of the JWT claim that is used as user ID. Default:sub.(optional)
auth.oidc.userNameClaim- Name of the JWT claim that is used as user name. Default:name.(optional)
auth.oidc.emailClaim- Name of the JWT claim that is used as user email. Default:email.(optional)
auth.oidc.groupsClaim- Name of the JWT claim that is used as groups. Default:groups.
AWS Cognito connector
In order to set up the AWS Cognito connector, follow these steps:
Create a new user pool in AWS Cognito and do the following:
Enable “Use the Cognito Hosted UI” option.
In the “Initial app client”, select “Confidential client”, and select “Generate a client secret”.
In the “Allowed callback URLs” section, add a new entry for the callback: “https://<CLOUDCASA-ENVOY-EXTERNAL-IP>/dex/callback”.
Make sure that in the “Advanced app client settings” section “OpenID”, “Email”, and “Profile” are present in the “OpenID Connect scopes”.
Enable and configure AWS Cognito connector in “values.yaml”.
Helm Parameters:
auth.cognito.clientID- AWS Cognito client IDauth.cognito.clientSecret- AWS Cognito client secretauth.cognito.region- AWS region where the user pool was createdauth.cognito.userPoolID- ID of the user pool
Google connector
In order to set up the Google connector, follow these steps:
Go to https://console.cloud.google.com/apis/credentials and create a new OAuth 2.0 Client ID.
In the “Authorized redirect URIs” section, add a new entry for the callback: “https://<CLOUDCASA-ENVOY-EXTERNAL-IP>/dex/callback”. Please keep in mind that a domain must be used, not an IP address.
Enable Google connector in “values.yaml” and set client ID and client secret.
Helm Parameters:
auth.google.clientID- ID of Google OAuth 2.0 credentialsauth.google.clientSecret- Google OAuth 2.0 credentials secret(optional)
auth.google.hostedDomains- List of domains that can log in(optional)
auth.google.groups- List of groups that can log in
Azure
To set up an Azure connector using Microsoft OAuth2 flow, follow these steps:
In Azure Portal, create a new App Registration
For supported account types, select Single Tenant
For redirect URI select Type: Web. Enter “https://<CLOUDCASA-ENVOY-EXTERNAL-IP>/dex/callback”
Create the Application
On the newly created Application, copy and save the following:
Application (Client) ID
Directory (Tenant) ID
Go to “Manage” -> “Authentication”. Under “Implicit grant and hybrid flows”, enable ID Tokens (for implicit and hybrid flows). Save the changes.
Go to “Manage” -> “Certificates & Secrets”. Create a new client secret and save its secret value.
Go to “Manage” -> “API Permissions”. Add the following Microsoft Graph Delegated permissions:
Directory.Read.All (Admin consent required)
User.Read
email
profile
offline_access
openid
Now update “values.yaml”:
Enable the “microsoft” connector
Set the client ID, client secret, and tenant.
If using Microsoft groups for authentication:
List all allowed groups under
auth.microsoft.groups.For each group listed, map it to either Users or Siteadmins via values
auth.allowedUserGroupsandauth.siteadminUserGroups
- If not using group mapping, each allowed user must be listed in
auth.allowedUsersorauth.siteadminUsers.
Here is a sample values.yaml snippet that allows a specified Azure group to login:
auth:
...
allowedUserGroups: cloudcasa-users ## name of the Azure user group
siteadminUserGroups: cloudcasa-siteadmins ## name of the Azure user group
microsoft:
enabled: true
name: azure-connector ## user-visible name displayed on Login page
clientID: PLACEHOLDER
clientSecret: PLACEHOLDER
tenant: PLACEHOLDER
groups:
- cloudcasa-users
- cloudcasa-siteadmins
Helm Parameters:
auth.microsoft.clientID- ID of Azure App credentialsauth.microsoft.clientSecret- Azure App credentials secretauth.microsoft.tenant- ID or name of a tenant. Only accounts belonging to the specific tenant can log in.(optional)
auth.microsoft.groups- List of groups that can log in.(optional)
auth.microsoft.cloud- Azure cloud environment. Supported values: “Government”, “Public”. Default: “Public”.