Skip to content

Authentication

  • TOWER_OIDC_CLIENT: The client ID provided by your authentication service.
  • TOWER_OIDC_SECRET: The client secret provided by your authentication service.
  • TOWER_OIDC_ISSUER: The authentication service URL to which Tower connects to authenticate the sign-in request e.g. https://dev-886323.okta.com/oauth2/default.

In your OpenID provider setting specify the following URL as callback address or authorised redirect:

1
https://<YOUR HOST OR IP>/oauth/callback/oidc

Okta identity provider#

To setup Okta as the OpenID provider, please follow these steps:

  • Sign in to your Okta organization with your administrator account.
  • From the Admin Console side navigation, click Applications > Applications.
  • Click Add Application.
  • Click Create New App.
  • Select the OpenID Connect sign-on method.
  • Click Create.
  • Enter a name for your new app integration e.g. Tower.
  • In the Configure OpenID Connect, add the following redirect URIs.
    • Sign-in redirect URIs : https://<YOUR HOST OR IP>/oauth/callback/oidc
    • Sign-out redirect URIs : https://<YOUR HOST OR IP>/logout
  • Click Save.

Okta app automatically navigates to your new application settings. You can use these details to complete the Tower configuration by specifying the following variables:

  • TOWER_OIDC_CLIENT : Copy from Client ID field in the Client Credentials section within the General tab for the corresponding app client configuration.
  • TOWER_OIDC_SECRET: Copy from Client secret field in the Client Credentials section within the General tab for the corresponding app client configuration.
  • TOWER_OIDC_ISSUER : Copy the Okta issuer URL, in the OpenID Connect ID Token section in the Sign On tab for the corresponding app client configuration.

Check the OpenID Connect section above for details.

GitHub identity provider#

To use GitHub as SSO provider for Tower, register your Tower instance as a GitHub OAuth App in your organization settings page eg. https://github.com/organizations/{YOUR-ORGANIZATION}/settings/applications.

When creating the OAuth App specify the following path as callback URL: https://{your-deployment-domain-name}/oauth/callback/github (replacing the {your-deployment-domain-name} placeholder with the domain name of your deployment).

Finally include the following variable in the backend environment configuration:

  • TOWER_GITHUB_CLIENT: The client id provided by GitHub when register the new OAuth App.
  • TOWER_GITHUB_SECRET: The client secret provided by GitHub when register the new OAuth App.

Google identity provider#

To use Google as SSO provider for Tower:

  • Visit https://console.developers.google.com and create a new project
  • From the sidebar, click the Credentials tab
  • Click Create credentials and choose OAuth client ID from the dropdown
  • On the next page, select Web Application type
  • enter the redirect URL: https://{your-deployment-domain-name}/oauth/callback/google (replacing the {your-deployment-domain-name} placeholder with the domain name of your deployment).
  • Confirms the operation. You will then receive a Client ID and secret ID.

Finally, include the Client ID and Secret ID in following variables in the Tower backend environment configuration:

  • TOWER_GOOGLE_CLIENT: The client id provided by Google in the above steps.
  • TOWER_GOOGLE_SECRET: The client secret provided by Google in the above steps.

Keycloak identity provider#

To use Keycloak as identity provider for Tower, configure in your Keycloak service a new client following these steps:

  • In the Realm settings make sure the Endpoints field include "OpenID Endpoint Configuration"
  • Open the Client page and click *Create" to setup a new client for Tower
  • In the Settings tag, make sure to include the following fields
    • Client Id: tower for the sake of this tutorial or any other Id of your choice
    • Enabled: ON
    • Client Protocol: openid-connect
    • Access Type: confidential
    • Standard Flow Enabled: ON
    • Implicit Flow Enabled: OFF
    • Direct Access Grants Enabled: ON
    • Valid Redirect URIs: https:///oauth/callback/oidc e.g. http://localhost:8000/oauth/callback/oidc
    • Click Save
  • In the Credentials tab, take note of the Secret field.
  • In the Keys tab, make sure the field Use JWKS URL is OFF.

Complete the setup on Tower side adding the following environment variables to your configuration:

  • TOWER_OIDC_CLIENT: The client Id assigned to the above client setup e.g. tower.
  • TOWER_OIDC_SECRET: The content of the Secret field assigned in the above client setup.
  • TOWER_OIDC_ISSUER: The Keycloak issuer URL, you can find it in the Realm Settings page and clicking on the OpenID Configuration in the Endpoints field. It shows a JSON payload, copy & paste the value associated to the entry issues e.g. http://localhost:9000/auth/realms/master.

Azure AD OIDC integration#

To make use of the Azure AD for the OIDC as identity provider for Tower, configure in your Azure AD service a new client following these steps:

  1. Log in to Azure portal.
  2. Go to Azure Active Directory service.
  3. Click Manage Tenants
  4. Create a new Tenant (e.g. NextflowTowerOrg)
  5. Switch into the newly-created Tenant
  6. Go to App Registrations
  7. Click New Registration
    1. Give name to application
    2. Specify scope of user verification (e.g. single tenant, multi-tenant, personal MSFT accounts, etc).
  8. Specify the Redirect (callback) URI (NOTE: Microsoft requires that this URI uses HTTPS)

  9. Open the newly-created app:

    1. Note the Application (client) ID under the Essentials table
    2. Generate Client credentials under the Essentials table
    3. Click Endpoints and note the OpenID Connect metadata document URI
  10. Add users to your tenant as required.

  11. Complete the setup on Tower side adding the following environment variables to your configuration:

    1
    2
    3
    TOWER_OIDC_CLIENT=<YOUR_APPLICATION_ID>
    TOWER_OIDC_SECRET=<YOUR_CLIENT_CREDENTIALS_SECRET>
    TOWER_OIDC_ISSUER=<YOUR_OIDC_METADATA_URL_UP_TO_"v2.0">   (e.g. https://login.microsoftonline.com/000000-0000-0000-00-0000000000000/v2.0)
    
  12. Add auth-oidc to the end of the MICRONAUT_ENVIRONMENTS value for both the cron and backend services.

Configure user access allow list#

When using a public authentication provider such as Google or GitHub you may need to restrict the access only to specific user emails address or domains.

Add the following snippet in the file /tower.yml:

1
2
3
4
5
6
tower:
  auth:
    <PROVIDER>:
      allow-list:
        - "*@foo.com"
        - "me@bar.com"

Replace the <PROVIDER> placeholder either with github, google or oidc (you will need to define twice if you are using both of them).

The allow list entries are case-insensitive.

Back to top