HomeGuidesChangelog
GuidesDiscussionChangelogLog In

Authentication

Different user authentication options for Team Server

When installing Gigantum Team Server it is possible to select from several different authentication options.

For information on how to restrict who can access the Team Server deployment, see the User Management section.

Internal Authorization

By default the Team Server install will use internal authorization, meaning that user accounts and passwords are stored within the Team Server deployment. This is done by configuring Gitlab as an OpenID Connect provider and delegating the registration and login processes to Gitlab.

OpenID Connect (OIDC) Authorization

Gigantum Team Server is able to use any OpenID Connect (OIDC) provider as an authentication source. This could be from a company single sign-on (SSO) service or one of the many public platforms that allow users to configure OIDC clients, like Google.

To configure OIDC authentication you need to provide the --auth oidc flag to gigactl at install time and populate the auth_provider: section of the Settings File with the fields that are provided below. An example with using Google as an OIDC provider is given below. For information on how to configure an OIDC provider in your Google account visit their OpenID Connect page.

auth_provider:
  client_id: <Client ID from Google>
  client_secret: <Client Secret from Google>
  oidc_wellknown_url: https://accounts.google.com

OAuth2 Authorization

Gigantum Team Server is able to use some OAuth2 providers as an authentication source. This could be from a company single sign-on (SSO) service or on of the public platforms that allow users to configure OAuth2 clients, like Github. The one restriction on which OAuth2 providers can work with Gigantum Team Server is that there needs to be a API that the Team Server can query to get a user's profile after they have authenticated.

To configure OAuth2 authentication you need to provide the --auth oauth2 flag to gigactl at install time and populate the auth_provider: section of the Settings File with the fields that are provided below. An example with using Github as an OAuth2 provider is given below. For information on how to configure an OAuth2 provider in your Github account visit their Creating an OAuth App page.

auth_provider:
  client_id: <Client ID from Github>
  client_secret: <Client Secret from Github>
  auth_url: https://github.com/login/oauth/authorize
  token_url: https://github.com/login/oauth/access_token
  profile_url: https://api.github.com/user

LDAP Authorization

Gigantum Team Server is able to connect to a LDAP server and use it as the source for user account information and password verification. For LDAP authorization the Team Server install hosts its own login page and uses the LDAP server to verify the given user credentials.

To configure LDAP authentication you need to provide the --auth ldap flag to gigactl at install time and populate the ldap: section of the Settings File. An example of this section is provided below.

ldap:
  host: "ldap.example.com" # Using the default LDAP TLS port 636 
  bindDN: "uid=serviceaccount,cn=users,dc=example,dc=com"
  bindPW: "password"
  userSearch:
    baseDN: "cn=users,dc=example,dc=com"
    username: "uid"
    idAttr: "uid"
    emailAttr: "mail"
    nameAttr: "name"

📘

Configuration Updates

If the LDAP configuration needs to be updated post-install the ./gigactl auth edit command can be used to edit the configuration and restart the LDAP components within the Team Server.

Note: The command makes use of the EDITOR environmental variable for which editor to launch.