Users & Authentication

loft provides to different authentication mechanisms:

Username + Password Auth

By default, username and password based authentication is enabled. Admins can add users and send them invite links to sign up. Additionally, admins can reset user passwords. Users can also change their credentials in the profile view of the UI after signing in.

Authentication using username and password can also be disabled which is particularly useful for organizations that want to enforce security standards such as two factor authentication (2FA) using a third-party provider.

OpenID Connect Auth

OpenID Connect allows users to authenticate using a third-party provider. Notable providers include:

  • GitHub / GitHub Enterprise
  • GitLab
  • Google
  • Microsoft
  • and many others

Learn more about how to configure OpenID Connect Authentication.


Add Users

loft UI - Create User
Send Invite Link

If you do not set a password for the user, loft will generate an access key for the user and display an invite link which you can send to the user to sign in and define a password for their user.

Reset Passwords

loft UI - Reset Password

Delete Users

loft UI - Delete User

Delete a user using kubectl:

# IMPORTANT: Make sure to switch to the context of the loft management cluster!
kubectl delete user [USER_NAME]
Data Loss

Deleting a user will also delete all cluster accounts that are owned solely by this user. Deleting these accounts in turn will also delete other related objects such as account quotas and spaces.

Cluster Roles

loft provides an ClusterRole named loft-management-admin that can be assigned to users. This role will allow users to manage all loft-related ressources within the loft cluster, i.e. user, cluster, team etc.

loft UI - Loft ClusterRoles