You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Configuration section for authentication services, like SAML or OIDC.
45
+
Configuration section for SSO authentication services, like SAML or OIDC.
46
46
47
-
*`auth.logout_redirect_url``(string : "/auth/login")` - The URL to redirect to after logout. The behavior depends on the authentication provider:
48
-
***For OIDC**: The logout URL of the OIDC provider (e.g., Auth0 logout endpoint)
49
-
***For SAML**: The URL within lakeFS where the IdP should redirect after logout (e.g., `/auth/login`)
47
+
*`auth.logout_redirect_url``(string : "/auth/login")` - The URL to redirect to after logout when using SSO authentication services, like SAML or OIDC.
48
+
The configuration depends on the authentication provider:
49
+
- **For OIDC:** The logout URL of the OIDC provider (e.g., Auth0 logout endpoint).
50
+
- **For SAML:** The URL within lakeFS where the IdP should redirect after logout (e.g., `/auth/login`).
51
+
52
+
#### auth.ui_config
53
+
54
+
*`auth.ui_config.login_url_method``(string : "redirect")` - Controls how lakeFS handles login when an `auth.ui_config.login_url` (SSO via OIDC or SAML) is configured. This parameter is only relevant when `auth.ui_config.login_url` is set.
55
+
**Supported values:**
56
+
* `"redirect"` - On login, users are redirected to the configured `auth.ui_config.login_url` (default).
57
+
* `"select"` - On login, login selection page is used to select between build-in lakeFS and SSO login.
50
58
51
59
### auth.providers
52
60
53
-
Configuration section external identity providers
61
+
Configuration section for external identity providers used for authentication services, such as LDAP, SAML or OIDC.
54
62
55
63
#### auth.providers.ldap
56
64
57
-
*`auth.providers.ldap.server_endpoint``(string : "")` - The LDAP server address, e.g. `'ldaps://ldap.company.com:636'`
58
-
*`auth.providers.ldap.bind_dn``(string : "")` - The bind string, e.g. `'uid=<bind-user-name>,ou=Users,o=<org-id>,dc=<company>,dc=com'`
59
-
*`auth.providers.ldap.bind_password``(string : "")` - The password for the user to bind
60
-
*`auth.providers.ldap.username_attribute``(string : "")` - The user name attribute, e.g. 'uid'
61
-
*`auth.providers.ldap.user_base_dn``(string : "")` - The search request base dn, e.g. `'ou=Users,o=<org-id>,dc=<company>,dc=com'`
62
-
*`auth.providers.ldap.user_filter``(string : "")` - The search request user filter, e.g. `'(objectClass=inetOrgPerson)'`
63
-
*`auth.providers.ldap.connection_timeout_seconds``(int : 0)` - The timeout for a single connection
64
-
*`auth.providers.ldap.request_timeout_seconds``(int : 0)` - The timeout for a single request
65
-
*`auth.providers.ldap.default_user_group``(string : "")` - The default group for the users initially authenticated by the remote service
65
+
Configuration section for LDAP
66
+
67
+
*`auth.providers.ldap.server_endpoint``(string : "" - required)` - The LDAP server address, e.g. `'ldaps://ldap.company.com:636'`.
68
+
*`auth.providers.ldap.bind_dn``(string : "" - required)` - The bind string, e.g. `'uid=<bind-user-name>,ou=Users,o=<org-id>,dc=<company>,dc=com'`.
69
+
*`auth.providers.ldap.bind_password``(string : "" - required)` - The password for the user to bind.
70
+
*`auth.providers.ldap.username_attribute``(string : "" - required)` - The user name attribute, e.g. 'uid'.
71
+
*`auth.providers.ldap.user_base_dn``(string : "" - required)` - The search request base dn, e.g. `'ou=Users,o=<org-id>,dc=<company>,dc=com'`.
72
+
*`auth.providers.ldap.user_filter``(string : "" - required)` - The search request user filter, e.g. `'(objectClass=inetOrgPerson)'`.
73
+
*`auth.providers.ldap.connection_timeout_seconds``(int : 0 - required)` - The timeout for a single connection.
74
+
*`auth.providers.ldap.request_timeout_seconds``(int : 0 - required)` - The timeout for a single request.
75
+
*`auth.providers.ldap.default_user_group``(string : "" - required)` - The default group for the users initially authenticated by the remote service.
66
76
67
77
#### auth.providers.saml
68
78
69
79
Configuration section for SAML
70
80
71
-
*`auth.providers.saml.sp_root_url``(string : '')` - The base lakeFS-URL, e.g. `'https://<lakefs-url>'`
72
-
*`auth.providers.saml.sp_x509_key_path``(string : '')` - The path to the private key, e.g `'/etc/saml_certs/rsa_saml_private.cert'`
73
-
*`auth.providers.saml.sp_x509_cert_path``(string : '')` - The path to the public key, '/etc/saml_certs/rsa_saml_public.pem'
74
-
*`auth.providers.saml.sp_sign_request``(bool : false)` Some IdP require the SLO request to be signed
75
-
*`auth.providers.saml.sp_signature_method``(string : '')` Optional valid signature values depending on the IdP configuration, e.g. '<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256>'
76
-
*`auth.providers.saml.idp_metadata_url``(string : '')` - The URL for the metadata server, e.g. `'https://<adfs-auth.company.com>/federationmetadata/2007-06/federationmetadata.xml'`
77
-
*`auth.providers.saml.idp_metadata_file_path``(string : '')` - The path to the Identity Provider (IdP) metadata XML file, e.g. '/etc/saml/idp-metadata.xml'
78
-
*`auth.providers.saml.idp_skip_verify_tls_cert``(bool : false)` - Insecure skip verification of the IdP TLS certificate, like when signed by a private CA
79
-
*`auth.providers.saml.idp_authn_name_id_format``(string : 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified')` - The format used in the NameIDPolicy for authentication requests
80
-
*`auth.providers.saml.idp_request_timeout``(duration : '10s')` The timeout for remote authentication requests
81
-
*`auth.providers.saml.post_login_redirect_url``(string : '')` - The URL to redirect users to after successful SAML authentication, e.g. `'http://localhost:8000/'`
81
+
*`auth.providers.saml.sp_root_url``(string : "")` - The base lakeFS-URL, e.g. `'https://<lakefs-url>'`.
82
+
*`auth.providers.saml.sp_x509_key_path``(string : "")` - The path to the private key, e.g `'/etc/saml_certs/rsa_saml_private.cert'`.
83
+
*`auth.providers.saml.sp_x509_cert_path``(string : "")` - The path to the public key, '/etc/saml_certs/rsa_saml_public.pem'.
84
+
*`auth.providers.saml.sp_sign_request``(bool : false)` Some IdP require the SLO request to be signed.
85
+
*`auth.providers.saml.sp_signature_method``(string : "")` Optional valid signature values depending on the IdP configuration, e.g. '<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256>'.
86
+
*`auth.providers.saml.idp_metadata_url``(string : "")` - The URL for the metadata server, e.g. `'https://<adfs-auth.company.com>/federationmetadata/2007-06/federationmetadata.xml'`.
87
+
*`auth.providers.saml.idp_metadata_file_path``(string : "")` - The path to the Identity Provider (IdP) metadata XML file, e.g. '/etc/saml/idp-metadata.xml'.
88
+
*`auth.providers.saml.idp_skip_verify_tls_cert``(bool : false)` - Insecure skip verification of the IdP TLS certificate, like when signed by a private CA.
89
+
*`auth.providers.saml.idp_authn_name_id_format``(string : "")` - The format used in the NameIDPolicy for authentication requests. (e.g., "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified")
90
+
*`auth.providers.saml.idp_request_timeout``(time duration : 10s)` The timeout for remote authentication requests.
91
+
*`auth.providers.saml.post_login_redirect_url``(string : "")` - The URL to redirect users to after successful SAML authentication, e.g. `'http://localhost:8000/'`.
82
92
83
93
#### auth.providers.oidc
84
94
85
95
Configuration section for OIDC
86
96
87
-
*`auth.providers.oidc.url``(string : '')` - The OIDC provider url, e.g. `'https://oidc-provider-url.com/'`
88
-
*`auth.providers.oidc.client_id``(string : '')` - The application's ID
89
-
*`auth.providers.oidc.client_secret``(string : '')` - The application's secret
90
-
*`auth.providers.oidc.callback_base_url``(string : '')` - A default callback address of the lakeFS server
91
-
*`auth.providers.oidc.callback_base_urls``(string[] : '[]')` - If callback_base_urls is configured, check current host is whitelisted otherwise use callback_base_url (without 's'). These config keys are mutually exclusive
97
+
*`auth.providers.oidc.url``(string : "")` - The OIDC provider url, e.g. `'https://oidc-provider-url.com/'`
98
+
*`auth.providers.oidc.client_id``(string : "")` - The application's ID
99
+
*`auth.providers.oidc.client_secret``(string : "")` - The application's secret
100
+
*`auth.providers.oidc.callback_base_url``(string : "")` - A default callback address of the lakeFS server
101
+
*`auth.providers.oidc.callback_base_urls``(string[] : [])` - If callback_base_urls is configured, check current host is whitelisted otherwise use callback_base_url (without 's'). These config keys are mutually exclusive
92
102
93
103
!!! note
94
104
You may configure a list of URLs that the OIDC provider may redirect to. This allows lakeFS to be accessed from multiple hostnames while retaining federated auth capabilities.
95
105
If the provider redirects to a URL not in this list, the login will fail. This property and callback_base_url are mutually exclusive.
96
106
97
-
*`auth.providers.oidc.authorize_endpoint_query_parameters``(map[string]string : {})` - key/value parameters that are passed to a provider's authorization endpoint
107
+
*`auth.providers.oidc.authorize_endpoint_query_parameters``(map[string]string : {})` - key/value parameters that are passed to a provider's authorization endpoint
98
108
*`auth.providers.oidc.logout_endpoint_query_parameters``(string[] : [])` - The query parameters that will be used to redirect the user to the OIDC provider after logout, e.g. `["returnTo", "https://<lakefs.ingress.domain>/oidc/login"]`
99
-
*`auth.providers.oidc.logout_client_id_query_parameter``(string : '')` - The claim name that represents the client identifier in the OIDC provider
100
-
*`auth.providers.oidc.additional_scope_claims``(string[] : '[]')` - Specifies optional requested permissions, other than `openid` and `profile` that are being used
101
-
*`auth.providers.oidc.post_login_redirect_url``(string : '')` - The URL to redirect users to after successful OIDC authentication, e.g. `'http://localhost:8000/'`
102
-
103
-
### auth.external
104
-
105
-
Configuration section for the external authentication methods
106
-
107
-
#### auth.external.aws_auth
108
-
109
-
Configuration section for authenticating to lakeFS using AWS presign get-caller-identity request: [External Principals AWS Auth](../security/external-principals-aws.md)
110
-
111
-
*`auth.external.aws_auth.enabled``(bool : false)` - If true, external principals API will be enabled, e.g auth service and login api's
112
-
*`auth.external.aws_auth.get_caller_identity_max_age``(duration : 15m)` - The maximum age in seconds for the GetCallerIdentity request to be valid, the max is 15 minutes enforced by AWS, smaller TTL can be set
113
-
*`auth.external.aws_auth.valid_sts_hosts``([]string)` - The default are all the valid AWS STS hosts (`sts.amazonaws.com`, `sts.us-east-2.amazonaws.com` etc.)
114
-
*`auth.external.aws_auth.required_headers``(map[string]string : )` - Headers that must be present by the client when doing login request. For security reasons it is recommended to set `X-LakeFS-Server-ID: <lakefs.ingress.domain>`, lakeFS clients assume that's the default
115
-
*`auth.external.aws_auth.optional_headers``(map[string]string : )` - Optional headers that can be present by the client when doing login request
116
-
*`auth.external.aws_auth.http_client.timeout``(duration : 10s)` - The timeout for the HTTP client used to communicate with AWS STS
117
-
*`auth.external.aws_auth.http_client.skip_verify``(bool : false)` - Skip SSL verification with AWS STS
109
+
*`auth.providers.oidc.logout_client_id_query_parameter``(string : "")` - The claim name that represents the client identifier in the OIDC provider
110
+
*`auth.providers.oidc.additional_scope_claims``(string[] : [])` - Specifies optional requested permissions, other than `openid` and `profile` that are being used
111
+
*`auth.providers.oidc.post_login_redirect_url``(string : "")` - The URL to redirect users to after successful OIDC authentication, e.g. `'http://localhost:8000/'`
112
+
113
+
#### auth.external_aws_auth
114
+
115
+
Configuration section for authentication to lakeFS using the AWS presigned get-caller-identity request:
*`auth.external_aws_auth.enabled``(bool : false)` - If true, external principals API will be enabled, e.g auth service and login api's
119
+
*`auth.external_aws_auth.get_caller_identity_max_age``(time duration : 15m)` - The maximum age in seconds for the GetCallerIdentity request to be valid, the max is 15 minutes enforced by AWS, smaller TTL can be set
120
+
*`auth.external_aws_auth.valid_sts_hosts``(string[] : [])` - The default are all the valid AWS STS hosts (`sts.amazonaws.com`, `sts.us-east-2.amazonaws.com` etc.)
121
+
*`auth.external_aws_auth.required_headers``(map[string]string : {})` - Headers that must be present by the client when doing login request. For security reasons it is recommended to set `X-LakeFS-Server-ID: <lakefs.ingress.domain>`, lakeFS clients assume that's the default
122
+
*`auth.external_aws_auth.optional_headers``(map[string]string : {})` - Optional headers that can be present by the client when doing login request
123
+
*`auth.external_aws_auth.http_client.timeout``(time duration : 10s)` - The timeout for the HTTP client used to communicate with AWS STS
124
+
*`auth.external_aws_auth.http_client.skip_verify``(bool : false)` - Skip SSL verification with AWS STS
0 commit comments