SAML/OIDC Authentication

Configure SAML/OIDC Authentication

SAML/OIDC Authentication is an external authentication mode. It is called OAUTH2 in Cavaliba.

It is performed by a companion component, namely oauth2_proxy, which is included in Cavaliba as an additional container, ready to be started and configured.

This model is suitable for modern/large scale deployment. It offloads all the access / authentication process to an external Authentication server (IdP, Identity Provider). It may provide Multi-factor strong authentication, and many user self-service to manage their account and credentials depending on the IDP.

Identity Providers are external services such as Keycloak, OKTA, Microsoft Azure AD and numerous other providers.

steps to configure

Identity Provider

Docker .env file

Configure the .env docker file with the received registration parameters (client id, secret, URLs)

Oauth2 Proxy configuration

configure/adapt the oa2p_xxx.cfg to match the SAML/OIDC requirements of your Identity Provider

Start the Docker OAUTH2 component

uncomment the oauth2_proxy block in the docker-compose.yml file
start the cavaliba_oa2p container

Configure NGINX to catch/redirect authentication to oauth2

uncomment the nginx.conf directives to enable the oauth2 authentication workflow
restart the cavaliba nginx container

Inform Cavaliba to use OAUTH2

in Cavaliba/Conf, select AUTH_MODE=oauth2

Setup a local Keycloak IDP

TBD - start a local Keycloak container, configure User directory, authentication workflows. Register Cavaliba as a a new Service Provider for this IDP.

Bonus : LDAP Authentication

LDAP authentication is a mean to authenticate users against a central Directory like Openldap, Lemonldap or Active Directory.

Although not immediately available in Cavaliba it can be set up with the OAUTH2 mode requesting a local Identity Provider (like Keycloak) which in turn, queries an LDAP Directory.