<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Authentication on</title><link>/configuration/authentication/</link><description>Recent content in Authentication on</description><generator>Hugo</generator><language>en</language><atom:link href="/configuration/authentication/index.xml" rel="self" type="application/rss+xml"/><item><title>Google</title><link>/configuration/authentication/google/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/configuration/authentication/google/</guid><description>&lt;h3 id="create-oauth-client"&gt;Create OAuth Client&lt;/h3&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt;
The instructions in this section are only needed when Google is used for authentication of the Atolio web application.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Create a new project in the Google Cloud Console by visiting &lt;a href="https://console.cloud.google.com/cloud-resource-manager"&gt;https://console.cloud.google.com/cloud-resource-manager&lt;/a&gt; and clicking &lt;em&gt;CREATE PROJECT&lt;/em&gt;. Provide a project name (e.g. Atolio) and select the correct Organization and Location. Note the &lt;code&gt;Project ID&lt;/code&gt; field displayed below the &lt;code&gt;Project name&lt;/code&gt;. You&amp;rsquo;ll need this value when setting up Terraform later. Click &lt;em&gt;CREATE&lt;/em&gt;.&lt;/p&gt;</description></item><item><title>Keycloak</title><link>/configuration/authentication/keycloak/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/configuration/authentication/keycloak/</guid><description>&lt;p&gt;Configure Keycloak as your identity provider for user authentication. Atolio signs users in using the OpenID Connect authorization code flow against a client you create in your Keycloak realm.&lt;/p&gt;
&lt;h3 id="create-oidc-client"&gt;Create OIDC Client&lt;/h3&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt;
The instructions in this section are only needed when Keycloak is used for authentication of the Atolio web application.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;ol&gt;
&lt;li&gt;Sign in to the Keycloak admin console and select the realm your users authenticate against from the realm selector in the top-left.&lt;/li&gt;
&lt;li&gt;Navigate to &amp;ldquo;Clients&amp;rdquo; and click &amp;ldquo;Create client&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Leave &amp;ldquo;Client type&amp;rdquo; set to &amp;ldquo;OpenID Connect&amp;rdquo;, enter a &amp;ldquo;Client ID&amp;rdquo; (e.g. &lt;code&gt;atolio&lt;/code&gt;), and click &amp;ldquo;Next&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Turn on &amp;ldquo;Client authentication&amp;rdquo; so the client is confidential and issues a client secret. Leave &amp;ldquo;Standard flow&amp;rdquo; enabled under &amp;ldquo;Authentication flow&amp;rdquo;; the other flows are not required. Click &amp;ldquo;Next&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Under &amp;ldquo;Valid redirect URIs&amp;rdquo;, add &lt;code&gt;https://search.example.com/auth/_callback&lt;/code&gt; (replace &lt;code&gt;search.example.com&lt;/code&gt; with your actual Atolio deployment URL; contact your Atolio onboarding support team if you need clarification on the correct URL).&lt;/li&gt;
&lt;li&gt;(Optional) Set &amp;ldquo;Valid post logout redirect URIs&amp;rdquo; and &amp;ldquo;Web origins&amp;rdquo; to &lt;code&gt;https://search.example.com&lt;/code&gt; to scope sign-out and CORS to your deployment.&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;Save&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Open the &amp;ldquo;Credentials&amp;rdquo; tab and copy the &amp;ldquo;Client secret&amp;rdquo;. Save it for later.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The &lt;code&gt;profile&lt;/code&gt; and &lt;code&gt;email&lt;/code&gt; scopes are part of Keycloak&amp;rsquo;s default client scopes, so the realm already returns the claims Atolio needs. No custom scope or mapper configuration is required.&lt;/p&gt;</description></item><item><title>Microsoft Entra ID</title><link>/configuration/authentication/entraid/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/configuration/authentication/entraid/</guid><description>&lt;p&gt;Configure Microsoft Entra ID as your identity provider for user authentication. This App Registration is specifically for authentication purposes and user/group identity mapping.&lt;/p&gt;
&lt;h3 id="create-new-app-registration"&gt;Create New App Registration&lt;/h3&gt;
&lt;ol&gt;
&lt;li&gt;Authenticate to the &lt;a href="https://portal.azure.com/#home"&gt;Azure Portal&lt;/a&gt; via your Microsoft Identity.&lt;/li&gt;
&lt;li&gt;Head over to &lt;a href="https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps"&gt;App Registrations&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;New Registration&amp;rdquo;:
&lt;ul&gt;
&lt;li&gt;Enter &amp;ldquo;Atolio Authentication&amp;rdquo; for the name.&lt;/li&gt;
&lt;li&gt;Ensure &amp;ldquo;Accounts in this organizational directory only&amp;rdquo; is selected from &lt;em&gt;Supported account types&lt;/em&gt;.&lt;/li&gt;
&lt;li&gt;Add a redirect URI &lt;code&gt;https://search.example.com/auth/_callback&lt;/code&gt; (replace &lt;code&gt;search.example.com&lt;/code&gt; with your actual Atolio deployment URL - contact your Atolio onboarding support team if you need clarification on the correct URL).&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;Register&amp;rdquo;.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;You should now be on the page of your new app registration. In the &lt;em&gt;Essentials&lt;/em&gt; blade, locate the &amp;ldquo;Add a certificate or secret&amp;rdquo; link.&lt;/li&gt;
&lt;li&gt;Create a Client Secret for use with OIDC:
&lt;ul&gt;
&lt;li&gt;Select the &amp;ldquo;Client Secrets (0)&amp;rdquo; tab.&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;New Client Secret&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Enter &amp;ldquo;Atolio OIDC Authentication&amp;rdquo; for the description.&lt;/li&gt;
&lt;li&gt;Set desired expiry. Follow internal procedures for rotation.&lt;/li&gt;
&lt;li&gt;Copy the newly created &amp;ldquo;Value&amp;rdquo; of the Client Secret and store it in a safe place (e.g. 1Password). This will be referenced later for OIDC configuration.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Add a certificate for client authentication:
&lt;ul&gt;
&lt;li&gt;Obtain a &lt;code&gt;.PFX&lt;/code&gt; file that includes the public and private keys. The certificate key algorithm must be RSA. A private key password is optional, but recommended.&lt;/li&gt;
&lt;li&gt;Export the public key to a &lt;code&gt;.CER&lt;/code&gt; file.&lt;/li&gt;
&lt;li&gt;Select the &amp;ldquo;Certificates (0)&amp;rdquo; tab.&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;Upload certificate&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Enter &amp;ldquo;Atolio Client Authentication&amp;rdquo; for the description.&lt;/li&gt;
&lt;li&gt;Select the &lt;code&gt;.CER&lt;/code&gt; file and select &amp;ldquo;Add&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Export the &lt;code&gt;.PFX&lt;/code&gt; file contents to base 64 and store it in a safe place (e.g. 1Password). You can obtain the base 64 encoding from the command line with &lt;code&gt;cat my-cert.pfx | base64&lt;/code&gt;. This value will be referenced later for source configuration.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Add Microsoft Graph API Permissions:
&lt;ul&gt;
&lt;li&gt;In your App Registration, click &lt;strong&gt;&amp;ldquo;API permissions&amp;rdquo;&lt;/strong&gt; in the left menu&lt;/li&gt;
&lt;li&gt;Click &lt;strong&gt;&amp;ldquo;Add a permission&amp;rdquo;&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;Select &lt;strong&gt;&amp;ldquo;Microsoft Graph&amp;rdquo;&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;Click &lt;strong&gt;&amp;ldquo;Application permissions&amp;rdquo;&lt;/strong&gt; (not Delegated permissions)&lt;/li&gt;
&lt;li&gt;Add these permissions:&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;table&gt;
	&lt;thead&gt;
			&lt;tr&gt;
					&lt;th&gt;Permission&lt;/th&gt;
					&lt;th&gt;Purpose&lt;/th&gt;
			&lt;/tr&gt;
	&lt;/thead&gt;
	&lt;tbody&gt;
			&lt;tr&gt;
					&lt;td&gt;&lt;code&gt;Application.Read.All&lt;/code&gt;&lt;/td&gt;
					&lt;td&gt;Resolve service principals and applications&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;&lt;code&gt;Group.Read.All&lt;/code&gt;&lt;/td&gt;
					&lt;td&gt;List Microsoft 365 and security groups&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;&lt;code&gt;GroupMember.Read.All&lt;/code&gt;&lt;/td&gt;
					&lt;td&gt;Resolve group membership for ACL mapping&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;&lt;code&gt;User.Read.All&lt;/code&gt;&lt;/td&gt;
					&lt;td&gt;Resolve user objects and properties&lt;/td&gt;
			&lt;/tr&gt;
			&lt;tr&gt;
					&lt;td&gt;&lt;code&gt;Directory.Read.All&lt;/code&gt;&lt;/td&gt;
					&lt;td&gt;Extended directory objects (optional*)&lt;/td&gt;
			&lt;/tr&gt;
	&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;*Optional: You can omit &lt;code&gt;Directory.Read.All&lt;/code&gt; and set &lt;code&gt;disable_full_permissions: true&lt;/code&gt; in your configuration for more restrictive access.&lt;/p&gt;</description></item><item><title>Okta</title><link>/configuration/authentication/okta/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>/configuration/authentication/okta/</guid><description>&lt;h3 id="create-oauth-client"&gt;Create OAuth Client&lt;/h3&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt;
The instructions in this section are only needed when Okta is used for authentication of the Atolio web application.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;ol&gt;
&lt;li&gt;Navigate to Applications in the Okta admin console (&lt;code&gt;https://example.okta.com/admin/apps/active&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;Create App Integration&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Select &amp;ldquo;OIDC - OpenID Connect&amp;rdquo; from the list of Sign-in methods.&lt;/li&gt;
&lt;li&gt;Select &amp;ldquo;Web Application&amp;rdquo; from the list of Application types and hit &amp;ldquo;Next&amp;rdquo; to create the app.&lt;/li&gt;
&lt;li&gt;(Optional) Edit the name and provide the &lt;a href="https://atolio.s3.amazonaws.com/atolio-logo.png"&gt;Atolio logo&lt;/a&gt; for the app.&lt;/li&gt;
&lt;li&gt;Under &amp;ldquo;Grant type&amp;rdquo; &amp;ndash;&amp;gt; &amp;ldquo;Client acting on behalf of a user&amp;rdquo;, ensure that &amp;ldquo;Authorization Code&amp;rdquo; is enabled.&lt;/li&gt;
&lt;li&gt;Under &amp;ldquo;Sign-in redirect URIs&amp;rdquo;, add the URL &lt;code&gt;https://search.example.com/auth/_callback&lt;/code&gt; (note this is identical for Google).&lt;/li&gt;
&lt;li&gt;Under &amp;ldquo;Sign-out redirect URIs&amp;rdquo;, remove the default &lt;code&gt;http://localhost:8080&lt;/code&gt; URI.&lt;/li&gt;
&lt;li&gt;Under &amp;ldquo;Assignments&amp;rdquo;, choose who should have access to the Atolio app. This setting can be modified later. If you choose to &amp;ldquo;Skip group assignment for now&amp;rdquo;, remember to add yourself to the Assignments list in order to be able to sign-in.&lt;/li&gt;
&lt;li&gt;Click &amp;ldquo;Save&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;Under &amp;ldquo;Client Credentials&amp;rdquo;, copy the &amp;ldquo;Client ID&amp;rdquo; &amp;amp; &amp;ldquo;Client Secret&amp;rdquo; and save them for later.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id="setup-okta-connector"&gt;Setup Okta Connector&lt;/h3&gt;
&lt;p&gt;Once your Atolio infrastructure has been deployed, you will also need to setup the &lt;a href="/configuration/sources/okta/"&gt;Okta Connector&lt;/a&gt; to enable users and user mappings using an API token.&lt;/p&gt;</description></item></channel></rss>