Single Sign On (SSO) in lakeFS Enterprise
lakeFS Enterprise
SSO is also available on lakeFS Cloud. Using the open-source version of lakeFS? Read more on authentication.
Authentication in lakeFS Enterprise is handled by a secondary service which runs side-by-side with lakeFS. With a nod to Hogwarts and their security system, we’ve named this service Fluffy. Details for configuring the supported identity providers with Fluffy are shown below. In addition, please review the necessary Helm configuration to configure Fluffy.
- Active Directory Federation Services (AD FS) (using SAML)
- OpenID Connect
- LDAP
If you’re using an authentication provider that is not listed please contact us for further assistance.
Active Directory Federation Services (AD FS) (using SAML)
AD FS integration uses certificates to sign & encrypt requests going out from Fluffy and decrypt incoming requests from AD FS server.
In order for Fluffy to work, the following values must be configured. Update (or override) the following attributes in the chart’s values.yaml
file.
- Replace
fluffy.saml_rsa_public_cert
andfluffy.saml_rsa_private_key
with real certificate values - Replace
fluffyConfig.auth.saml.idp_metadata_url
with the metadata URL of the AD FS provider (e.gadfs-auth.company.com
) - Replace
fluffyConfig.auth.saml.external_user_id_claim_name
with the claim name representing user id name in AD FS - Replace
lakefs.company.com
with your lakeFS server URL.
If you’d like to generate the certificates using OpenSSL, you can take a look at the following example:
openssl req -x509 -newkey rsa:2048 -keyout myservice.key -out myservice.cert -days 365 -nodes -subj "/CN=lakefs.company.com" -
lakeFS Server Configuration (Update in helm’s values.yaml
file):
auth:
cookie_auth_verification:
auth_source: saml
friendly_name_claim_name: displayName
external_user_id_claim_name: samName
default_initial_groups:
- "Developers"
logout_redirect_url: "https://lakefs.company.com/logout-saml"
encrypt:
secret_key: shared-secrey-key
ui_config:
login_url: "https://lakefs.company.com/sso/login-saml"
logout_url: "https://lakefs.company.com/sso/logout-saml"
login_cookie_names:
- internal_auth_session
- saml_auth_session
Fluffy Configuration (Update in helm’s values.yaml
file):
logging:
format: "json"
level: "INFO"
audit_log_level: "INFO"
output: "="
auth:
encrypt:
secret_key: shared-secrey-key
logout_redirect_url: https://lakefs.company.com
post_login_redirect_url: https://lakefs.company.com
saml:
enabled: true
sp_root_url: https://lakefs.company.com
sp_x509_key_path: '/etc/saml_certs/rsa_saml_private.cert'
sp_x509_cert_path: '/etc/saml_certs/rsa_saml_public.pem'
sp_sign_request: true
sp_signature_method: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
idp_metadata_url: "https://adfs-auth.company.com/federationmetadata/2007-06/federationmetadata.xml"
# idp_authn_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
external_user_id_claim_name: samName
# idp_metadata_file_path:
# idp_skip_verify_tls_cert: true
OpenID Connect
In order for Fluffy to work, the following values must be configured. Update (or override) the following attributes in the chart’s values.yaml
file.
- Replace
lakefsConfig.friendly_name_claim_name
with the right claim name. - Replace
lakefsConfig.default_initial_groups
with desired claim name (See pre-configured groups for enterprise) - Replace
fluffyConfig.auth.logout_redirect_url
with your full OIDC logout URL (e.ghttps://oidc-provider-url.com/logout/path
) - Replace
fluffyConfig.auth.oidc.url
with your OIDC provider URL (e.ghttps://oidc-provider-url.com
) - Replace
fluffyConfig.auth.oidc.logout_endpoint_query_parameters
with parameters you’d like to pass to the OIDC provider for logout. - Replace
fluffyConfig.auth.oidc.client_id
andfluffyConfig.auth.oidc.client_secret
with the client ID & secret for OIDC. - Replace
fluffyConfig.auth.oidc.logout_client_id_query_parameter
with the query parameter that represent the client_id, note that it should match the the key/query param that represents the client id and required by the specific OIDC provider. - Replace
lakefs.company.com
with the lakeFS server URL.
lakeFS Server Configuration (Update in helm’s values.yaml
file):
# Important: make sure to include the rest of your lakeFS Configuration here!
auth:
encrypt:
secret_key: shared-secrey-key
oidc:
friendly_name_claim_name: "name"
default_initial_groups: ["Developers"]
ui_config:
login_url: /oidc/login
logout_url: /oidc/logout
login_cookie_names:
- internal_auth_session
- oidc_auth_session
Fluffy Configuration (Update in helm’s values.yaml
file):
logging:
format: "json"
level: "INFO"
audit_log_level: "INFO"
output: "="
installation:
fixed_id: fluffy-authenticator
auth:
post_login_redirect_url: /
logout_redirect_url: https://oidc-provider-url.com/logout/url
oidc:
enabled: true
url: https://oidc-provider-url.com/
client_id: <oidc-client-id>
client_secret: <oidc-client-secret>
callback_base_url: https://lakefs.company.com
is_default_login: true
logout_client_id_query_parameter: client_id
logout_endpoint_query_parameters:
- returnTo
- https://lakefs.company.com/oidc/login
encrypt:
secret_key: shared-secrey-key
LDAP
In order for Fluffy to work, the following values must be configured. Update (or override) the following attributes in the chart’s values.yaml
file.
- Replace
lakefsConfig.auth.remote_authenticator.endpoint
with the lakeFS server URL combined with theapi/v1/ldap/login
suffix (e.ghttp://lakefs.company.com/api/v1/ldap/login
) - Repalce
fluffyConfig.auth.ldap.remote_authenticator.server_endpoint
with your LDAP server endpoint (e.gldaps://ldap.ldap-address.com:636
) - Replace
fluffyConfig.auth.ldap.remote_authenticator.bind_dn
with the LDAP bind user/permissions to query your LDAP server. - Replace
fluffyConfig.auth.ldap.remote_authenticator.user_base_dn
with the user base to search users in.
lakeFS Server Configuration (Update in helm’s values.yaml
file):
# Important: make sure to include the rest of your lakeFS Configuration here!
auth:
remote_authenticator:
enabled: true
endpoint: https://lakefs.company.com/api/v1/ldap/login
default_user_group: "Developers"
ui_config:
logout_url: /logout
login_cookie_names:
- internal_auth_session
Fluffy Configuration (Update in helm’s values.yaml
file):
logging:
format: "json"
level: "INFO"
audit_log_level: "INFO"
output: "="
installation:
fixed_id: fluffy-authenticator
auth:
post_login_redirect_url: /
ldap:
server_endpoint: 'ldaps://ldap.company.com:636'
bind_dn: uid=<bind-user-name>,ou=Users,o=<org-id>,dc=<company>,dc=com
bind_password: '<ldap pwd>'
username_attribute: uid
user_base_dn: ou=Users,o=<org-id>,dc=<company>,dc=com
user_filter: (objectClass=inetOrgPerson)
connection_timeout_seconds: 15
request_timeout_seconds: 7
Helm
In order to use lakeFS Enterprise and Fluffy, we provided out of the box setup, see lakeFS Helm chart configuration.
Notes:
- Check the examples on GitHub we provide for each authentication method (oidc/adfs/ldap + rbac).
- The examples are provisioned with a Postgres pod for quick-start, make sure to replace that to a stable database once ready.
- The encrypt secret key
secrets.authEncryptSecretKey
is shared between fluffy and lakeFS for authentication. - The lakeFS
image.tag
must be >= 0.100.0 - The fluffy
image.tag
must be >= 0.2.0 - Change the
ingress.hosts[0]
fromlakefs.company.com
to a real host (usually same as lakeFS), also update additional references in the file (note: URL path after host if provided should stay unchanged). - Update the
ingress
configuration with other optional fields if used - Fluffy docker image: replace the
fluffy.image.privateRegistry.secretToken
with real token to dockerhub for the fluffy docker image.