2.7 KiB
2.7 KiB
title | description | lead | date | draft | images | menu | weight | toc | community | aliases | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Portainer | Integrating Portainer with the Authelia OpenID Connect Provider. | 2022-06-15T17:51:47+10:00 | false |
|
620 | true | true |
|
Tested Versions
Before You Begin
Common Notes
- You are required to utilize a unique client id for every client.
- The client id on this page is merely an example and you can theoretically use any alphanumeric string.
- You should not use the client secret in this example, We strongly recommend reading the [Generating Client Secrets] guide instead.
Assumptions
This example makes the following assumptions:
- Application Root URL:
https://portainer.example.com
- Authelia Root URL:
https://auth.example.com
- Client ID:
portainer
- Client Secret:
portainer_client_secret
Configuration
Application
To configure Portainer to utilize Authelia as an OpenID Connect Provider:
- Visit Settings
- Visit Authentication
- Set the following values:
- Authentication Method: OAuth
- Provider: Custom
- Enable Automatic User Provision if you want users to automatically be created in Portainer.
- Client ID:
portainer
- Client Secret:
portainer_client_secret
- Authorization URL:
https://auth.example.com/api/oidc/authorization
- Access Token URL:
https://auth.example.com/api/oidc/token
- Resource URL:
https://auth.example.com/api/oidc/userinfo
- Redirect URL:
https://portainer.example.com
- User Identifier:
preferred_username
- Scopes:
openid profile groups email
{{< figure src="portainer.png" alt="Portainer" width="736" style="padding-right: 10px" >}}
Authelia
The following YAML configuration is an example Authelia client configuration for use with Portainer which will operate with the above example:
- id: portainer
description: Portainer
secret: '$plaintext$portainer_client_secret'
public: false
authorization_policy: two_factor
redirect_uris:
- https://portainer.example.com
scopes:
- openid
- profile
- groups
- email
userinfo_signing_algorithm: none