Skip to main content
Version: 23.2

Authentication

Seqera Platform supports email and various OAuth providers for login authentication.

Platform login sessions remain active as long as the application browser window remains open and active. When the browser window is terminated, automatic logout occurs within 6 hours by default.

OpenID Connect configuration

Seqera Enterprise can be configured to integrate with several authentication providers to enable single sign-on (SSO) login.

Configure OIDC authentication with the following environment variables:

  • TOWER_OIDC_CLIENT: The client ID provided by your authentication service.
  • TOWER_OIDC_SECRET: The client secret provided by your authentication service.
  • TOWER_OIDC_ISSUER: The authentication service URL to which Tower connects to authenticate the sign-in request e.g. https://dev-886323.okta.com/oauth2/default.

Some providers require the full authentication service URL (such as the OKTA example above), while others require only the SSO root domain (without the trailing sub-directories).

In your OpenID provider settings, specify the following URL as callback address or authorised redirect:

https://<YOUR HOST OR IP>/oauth/callback/oidc

Okta identity provider

To setup Okta as the OpenID provider:

  • Sign in to your Okta organization with your administrator account.
  • From the Admin Console side navigation, click Applications > Applications.
  • Select Add Application.
  • Select Create New App.
  • Select the OpenID Connect sign-on method.
  • Select Create.
  • Enter a name for your new app integration e.g. Tower.
  • In the Configure OpenID Connect, add the following redirect URIs.
    • Sign-in redirect URIs : https://<YOUR HOST OR IP>/oauth/callback/oidc
    • Sign-out redirect URIs : https://<YOUR HOST OR IP>/logout
  • Select Save.

Okta app automatically navigates to your new application settings. You can use these details to complete the Tower configuration by specifying the following variables:

  • TOWER_OIDC_CLIENT : Copy from Client ID field in the Client Credentials section within the General tab for the corresponding app client configuration.
  • TOWER_OIDC_SECRET: Copy from Client secret field in the Client Credentials section within the General tab for the corresponding app client configuration.
  • TOWER_OIDC_ISSUER : Copy the Okta issuer URL, in the OpenID Connect ID Token section in the Sign On tab for the corresponding app client configuration.

Check the OpenID Connect section above for details.

GitHub identity provider

To use GitHub as SSO provider for Tower, register your Tower instance as a GitHub OAuth App in your organization settings page, e.g., https://github.com/organizations/{YOUR-ORGANIZATION}/settings/applications.

When creating the OAuth App specify the following path as callback URL: https://{your-deployment-domain-name}/oauth/callback/github (replacing the {your-deployment-domain-name} placeholder with the domain name of your deployment).

Finally include the following variable in the backend environment configuration:

  • TOWER_GITHUB_CLIENT: The client id provided by GitHub when register the new OAuth App.
  • TOWER_GITHUB_SECRET: The client secret provided by GitHub when register the new OAuth App.

Google identity provider

To use Google as SSO provider for Tower:

  • Visit https://console.developers.google.com and create a new project
  • From the sidebar, click the Credentials tab
  • Select Create credentials and choose OAuth client ID from the drop-down
  • On the next page, select Web Application type
  • Enter the redirect URL: https://{your-deployment-domain-name}/oauth/callback/google (replacing the {your-deployment-domain-name} placeholder with the domain name of your deployment).
  • Confirm the operation. You will then receive a Client ID and secret ID.

Finally, include the Client ID and Secret ID in following variables in the Tower backend environment configuration:

  • TOWER_GOOGLE_CLIENT: The client id provided by Google in the above steps.
  • TOWER_GOOGLE_SECRET: The client secret provided by Google in the above steps.

Keycloak identity provider

To use Keycloak as identity provider for Tower, configure in your Keycloak service a new client following these steps:

  • In the Realm settings make sure the Endpoints field include "OpenID Endpoint Configuration"
  • Open the Client page and click *Create" to setup a new client for Tower
  • In the Settings tag, make sure to include the following fields
    • Client Id: tower for the sake of this tutorial or any other Id of your choice
    • Enabled: ON
    • Client Protocol: openid-connect
    • Access Type: confidential
    • Standard Flow Enabled: ON
    • Implicit Flow Enabled: OFF
    • Direct Access Grants Enabled: ON
    • Valid Redirect URIs: https:///<YOUR HOST>//oauth/callback/oidc e.g. http://localhost:8000/oauth/callback/oidc
    • Click Save
  • In the Credentials tab, take note of the Secret field.
  • In the Keys tab, make sure the field Use JWKS URL is OFF.

Complete the setup on Tower side adding the following environment variables to your configuration:

  • TOWER_OIDC_CLIENT: The client Id assigned to the above client setup e.g. tower.
  • TOWER_OIDC_SECRET: The content of the Secret field assigned in the above client setup.
  • TOWER_OIDC_ISSUER: The Keycloak issuer URL, you can find it in the Realm Settings page and clicking on the OpenID Configuration in the Endpoints field. It shows a JSON payload, copy & paste the value associated to the entry issues, e.g. http://localhost:9000/auth/realms/master.

Azure AD OIDC integration

To make use of Azure AD for the OIDC as identity provider for Tower, configure a new client in your Azure AD service:

  1. Log in to the Azure portal.
  2. Navigate to the Azure Active Directory service.
  3. Select Manage Tenants.
  4. Create a new Tenant (e.g. NextflowTowerOrg).
  5. Navigate to the newly-created Tenant.
  6. Go to App Registrations.
  7. Click New Registration.
    1. Enter a name for the application.
    2. Specify the scope of user verification (e.g. single tenant, multi-tenant, personal MSFT accounts, etc).

The Azure AD app must have user consent settings configured to "Allow user consent for apps" to ensure that admin approval is not required for each application login. See User consent settings.

  1. Specify the Redirect (callback) URI (NOTE: Microsoft requires that this URI uses HTTPS)

  2. Open the newly-created app:

    1. Note the Application (client) ID under the Essentials table
    2. Generate Client credentials under the Essentials table
    3. Click Endpoints and note the OpenID Connect metadata document URI
  3. Add users to your tenant as required.

  4. Complete the setup on Tower side adding the following environment variables to your configuration:

    TOWER_OIDC_CLIENT=<YOUR_APPLICATION_ID>
    TOWER_OIDC_SECRET=<YOUR_CLIENT_CREDENTIALS_SECRET>
    TOWER_OIDC_ISSUER=<YOUR_OIDC_METADATA_URL_UP_TO_"v2.0"> (e.g. https://login.microsoftonline.com/000000-0000-0000-00-0000000000000/v2.0)
  5. Add auth-oidc to the end of the MICRONAUT_ENVIRONMENTS value for both the cron and backend services.

Configure user access allow list

When using a public authentication provider such as Google or GitHub, you may need to restrict the access to specific user email addresses or domains.

Replace the <PROVIDER> placeholder with github, google, or oidc (oidc is used to specify any other authentication service based on OpenID Connect, e.g. Okta, AzureAD, Keycloak, etc.). You will need to include each provider separately, if specifying more than one.

The allow list entries are case-insensitive.

Environment variables
TOWER_AUTH_<PROVIDER>_ALLOW_LIST=*@foo.com,user1@bar.com
tower.yml
tower:
auth:
<PROVIDER>:
allow-list:
- "*@foo.com"
- "me@bar.com"