How to enable custom identity provider support¶
The Anbox Cloud Appliance has support for custom identity providers for authentication through the use of OpenID Connect.
Support for a custom identity provider has to be enabled at initialisation by using a preseed configuration. See Anbox Cloud Appliance preseed configuration format for more details.
Anbox Cloud uses the authorisation code flow to obtain an identity token. No access token is requested in this flow because authorisation is handled within the Anbox Cloud services.
In order to allow discovery of the necessary endpoints on the identity provider, it must support the OpenID Connect Discovery protocol.
The following will show you how to configure an OpenID Connect based identity provider for the Anbox Cloud Appliance.
Preparation¶
In order to configure OpenID Connect based authentication, you will need the following from your identity provider:
The issuer URL
The client ID
(Optional) The audience URL, required by some providers. For example, Auth0
The identity provider is expected to provide the JSON Web Key Set endpoint on <issuer URL>/.well-known/jwks.json
.
Your identity provider must have https://<appliance address or <DNS name>/oidc/callback
configured as allowed redirect/callback URL.
Configure OpenID Connect¶
It is only possible to configure support for OpenID Connect only when the Anbox Cloud Appliance is being initialised with a preseed (see Anbox Cloud Appliance preseed configuration format). The other steps to install the Anbox Cloud Appliance as described in Install the appliance on a dedicated machine remain the same.
The issuer URL, client ID and optional audience URL are set in the preseed configuration as follows:
$ cat preseed.yaml
....
oidc:
issuer: https://my.auth.com
client_id: aff32f32ffwfsdfdsfdsg
# Only if your identity provider requires it
audience: https://my.auth.com/api/v2
With the preseed configuration you can initiate the initialisation process by running:
sudo anbox-cloud-appliance init --preseed < preseed.yaml
Once the initialisation has been completed, you can register a new user by running:
sudo anbox-cloud-appliance dashboard register <email address>
Once the user has been registered by following the printed URL and authenticated with your identity provider, access is granted to the web UI.