Skip to main content
Version: 1.15

OIDC Authentication

STEP 1

Create Loft Config For OIDC

Loft is able to use an OIDC provider as an authentication source.

To tell Loft to use OIDC for SSO, navigate to Admin > Config in Loft and adjust your config as shown below:

auth:
 # Tell loft to allow OIDC for authentication
  oidc:
    # 
    # 
    # REQUIRED CONFIGURATION
    #
    #
    # IssuerURL is the URL the provider signs ID Tokens as.
    issuerUrl: https://accounts.google.com 
    # ClientID the JWT must be issued for, the "sub" field. Can be string literal or pulled from the environment.
    clientId: $CLIENTID
    # ClientSecret to issue tokens from the OIDC provider. Can be string literal or pulled from the environment.
    clientSecret: $CLIENTSECRET
    # Callback URL in the form of https://your-loft-domain/auth/oidc/callback
    redirectURI: https://loft.my.domain/auth/oidc/callback
    # 
    # 
    # OPTIONAL CONFIGURATION
    #
    #
    # (Optional) Path to a PEM encoded root certificate of the provider. 
    caFile: /tmp/ca-file.crt
    # (Optional) Specify whether to communicate without validating SSL certificates
    insecureCa: false
    # (Optional) UsernameClaim is the JWT field to use as the user's username. 
    # If not set defaults to email.
    usernameClaim: email
    # (Optional) If specified, causes claims mapping to username to be prefix with
    # the provided value.  
    usernamePrefix: my-prefix-
    # (Optional) If specified, causes the OIDCAuthenticator to try to populate the user's
    # groups with an ID Token field.
    groupsClaim: groups
    # (Optional) If specified, causes claims mapping to group names to be prefixed with the
    # value.
    groupsPrefix: group-prefix-
    # (Optional) If groups is non empty, access is denied if the user is not part of at least one 
    # of the specified groups. This requires groupsClaim to be set!
    groups: ["my-oidc-group"]
    # (Optional) If specified, tells the OIDCAuthenticator to try to populate the user's
    # information from the UserInfo. This might be necessary for slim tokens such as used
    # by Okta
    getUserInfo: false
    # (Optional) Cluster Account Templates that will be automatically added for new users 
    # logging in through this authentication
    clusterAccountTemplates: 
      # The name of the cluster account template
    - name: my-cluster-account-template
      sync: true
    # (Optional) A mapping between groups and cluster account templates. 
    # If the user has a certain group, the cluster account template 
    # will be added during creation
    groupClusterAccountTemplates:
      # Name of the group from the token
      - group: my-group
        # Names of the cluster account templates to apply
        clusterAccountTemplates: 
        - name: my-cluster-account-template
          sync: true
STEP 2

Authenticate via OIDC

After saving the new Loft configuration, Loft will restart itself and you should be able to log in via your OIDC provider.

STEP 3

Disable Username + Password Authentication (optional)

To disable password-based authentication, navigate to Admin > Config add these two lines to your config:

auth:
  oidc: ...             # This is your SSO configuration (make sure this is working!)
  password:
    disabled: true      # Disable password-based authentication