Single Sign-On (SSO)

ALTCHA Sentinel supports Single Sign-On (SSO) integration with multiple providers using OpenID Connect (OIDC) or LDAP protocols.

Note

Enterprise Feature: SSO capabilities are exclusively available with the Enterprise license plan.

Supported SSO Providers

OpenID Connect (OIDC)

The following OIDC providers are currently supported:

• Microsoft Azure
• Google Workspace
• Keycloak
• Okta

Configuration Requirements

All OIDC providers require:

• clientId - Your application’s client identifier
• clientSecret - Your application’s secret key

Obtain these credentials from your provider’s administration console before configuration.

Azure AD

SSO_AZURE=?clientId={clientId}&clientSecret={clientSecret}

Google Workspace

SSO_GOOGLE=?clientId={clientId}&clientSecret={clientSecret}

Keycloak

SSO_KEYCLOAK=https://your-keycloak-domain:8080/?realm={realm}&clientId={clientId}&clientSecret={clientSecret}

Okta

SSO_OKTA=https://{your-account}.okta.com/?clientId={clientId}&clientSecret={clientSecret}

LDAP/Active Directory

For LDAP-based authentication:

SSO_LDAP=ldap://your-ldap-server:389?userDn=dc=your-domain,dc=com

Example configuration using public test server:

SSO_LDAP=ldap://ldap.forumsys.com:389?userDn=dc=example,dc=com&name=SSO

Supported parameters:

• adminDn – Distinguished Name (DN) of the LDAP administrator. Optional.
• adminPassword – Password for adminDn. Required if adminDn is provided.
• userDn – User DN template. Supports the placeholder USERNAME, which is replaced with the actual username at runtime.
• usernameAttribute – Attribute used to match the username in equality searches. Default: uid.
• userSearchBase – Base DN used for user searches. Required when adminDn is configured.
• name – Display name of the SSO method shown on the login screen.
• starttls – Enable StartTLS. Use only with ldap:// URLs (not with ldaps://).
• groupsSearchBase – Base DN used to search for groups associated with the authenticated user. Must be specified together with groupClass.
• groupClass – objectClass value used in the group search filter. Must be specified together with groupsSearchBase.
• groupMemberAttribute – Group attribute used to represent membership (for example, member). Defaults to member if not specified. Requires groupClass and groupsSearchBase.
• groupMemberUserAttribute – Attribute on the user object used when evaluating group membership (for example, dn). Defaults to dn if not specified. Requires groupClass and groupsSearchBase.
• rejectUnauthorized - When using TLS, determines whether the server certificate must be validated. Set to false to allow self-signed or untrusted certificates.

Custom TLS/SSL certificates can be provided using the following ENV variables:

• SSO_LDAP_SSL_CA
• SSO_LDAP_SSL_CERT
• SSO_LDAP_SSL_KEY

Disabling Password Login

To enhance security, it is recommended to disable built-in password login by setting the environment variable PASSWORD_LOGIN_ENABLED=0. This restricts authentication to configured Single Sign-On (SSO) options only.

Support

For assistance with SSO configuration or troubleshooting, please contact support.

Remember that all SSO features require an Enterprise license.