loft provides to different authentication mechanisms:
- Authentication using username and password
- Authentication using a third-party provider via OpenID Connect
Username + Password Auth
By default, username and password based authentication is enabled. Admins can add users and send them invite links to sign up. Additionally, admins can reset user passwords. Users can also change their credentials in the profile view of the UI after signing in.
Authentication using username and password can also be disabled which is particularly useful for organizations that want to enforce security standards such as two factor authentication (2FA) using a third-party provider.
OpenID Connect Auth
OpenID Connect allows users to authenticate using a third-party provider. Notable providers include:
- GitHub / GitHub Enterprise
- and many others
Learn more about how to configure OpenID Connect Authentication.
Send Invite Link
If you do not set a password for the user, loft will generate an access key for the user and display an invite link which you can send to the user to sign in and define a password for their user.
Delete a user using
Deleting a user will also delete all cluster accounts that are owned solely by this user. Deleting these accounts in turn will also delete other related objects such as account quotas and spaces.
loft provides an ClusterRole named
loft-management-admin that can be assigned to users. This role will allow users to manage all loft-related ressources within the loft cluster, i.e. user, cluster, team etc.