Zum Inhalt springen
ALTCHA ALTCHA ALTCHA

Dieser Inhalt ist noch nicht in deiner Sprache verfügbar.

Single Sign-On (SSO)

ALTCHA Sentinel supports Single Sign-On (SSO) integration with multiple providers using OpenID Connect (OIDC) or LDAP protocols.

Supported SSO Providers

OpenID Connect (OIDC)

The following OIDC providers are currently supported:

Configuration Requirements

All OIDC providers require:

  • clientId - Your application’s client identifier
  • clientSecret - Your application’s secret key

Obtain these credentials from your provider’s administration console before configuration.

Azure

SSO_AZURE=?clientId={clientId}&clientSecret={clientSecret}

Callback URL: /v1/oauth/azure/callback

Azure App Registration for OIDC (Microsoft Entra admin center)

  1. Register Application
  • Identity > Applications > App registrations > New registration.
  • Supported account types: Select Accounts in this organizational directory only (Single tenant).
  • Redirect URI: Select Web and enter your callback (e.g., https://sentinel.example.com/v1/oauth/azure/callback).
  1. Collect Credentials
  • Client ID (Application (client) ID): Copy these from the Overview tab.
  • Client Secret: Certificates & secrets > New client secret. Copy the Value (not the ID) immediately.
  1. Authentication Settings
  • Go to Authentication.
  • Under Implicit grant and hybrid flows, check ID tokens.
  • Click Save.
  1. API Permissions
  • API permissions > Add a permission > Microsoft Graph > Delegated permissions.
  • Select openid, profile, and email.
  • Click Grant admin consent for [Company Name] to ensure users are not prompted for permission.

Google Workspace

SSO_GOOGLE=?clientId={clientId}&clientSecret={clientSecret}

Callback URL: /v1/oauth/google/callback

Keycloak

SSO_KEYCLOAK=https://your-keycloak-domain:8080/?realm={realm}&clientId={clientId}&clientSecret={clientSecret}

Callback URL: /v1/oauth/google/callback

Okta

SSO_OKTA=https://{your-account}.okta.com/?clientId={clientId}&clientSecret={clientSecret}

Callback URL: /v1/oauth/okta/callback

LDAP/Active Directory

For LDAP-based authentication:

SSO_LDAP=ldap://your-ldap-server:389?userDn=dc=your-domain,dc=com

Example configuration using public test server:

SSO_LDAP=ldap://ldap.forumsys.com:389?userDn=dc=example,dc=com&name=SSO

Supported parameters:

  • adminDn – Distinguished Name (DN) of the LDAP administrator. Optional.
  • adminPassword – Password for adminDn. Required if adminDn is provided.
  • userDn – User DN template. Supports the placeholder USERNAME, which is replaced with the actual username at runtime.
  • username - Optional username which overrides the user-provided username. Supports the placeholder USERNAME.
  • usernameAttribute – Attribute used to match the username in equality searches. Default: uid.
  • userSearchBase – Base DN used for user searches. Required when adminDn is configured.
  • name – Display name of the SSO method shown on the login screen.
  • starttls – Enable StartTLS. Use only with ldap:// URLs (not with ldaps://).
  • groupsSearchBase – Base DN used to search for groups associated with the authenticated user. Must be specified together with groupClass.
  • groupClassobjectClass value used in the group search filter. Must be specified together with groupsSearchBase.
  • groupMemberAttribute – Group attribute used to represent membership (for example, member). Defaults to member if not specified. Requires groupClass and groupsSearchBase.
  • groupMemberUserAttribute – Attribute on the user object used when evaluating group membership (for example, dn). Defaults to dn if not specified. Requires groupClass and groupsSearchBase.
  • rejectUnauthorized - When using TLS, determines whether the server certificate must be validated. Set to false to allow self-signed or untrusted certificates.

Custom TLS/SSL certificates can be provided using the following ENV variables:

  • SSO_LDAP_SSL_CA
  • SSO_LDAP_SSL_CERT
  • SSO_LDAP_SSL_KEY

Disabling Password Login

To enhance security, it is recommended to disable built-in password login by setting the environment variable PASSWORD_LOGIN_ENABLED=0. This restricts authentication to configured Single Sign-On (SSO) options only.

Support

For assistance with SSO configuration or troubleshooting, please contact support.

Remember that all SSO features require an Enterprise license.