OpenID Authentication

Kasm can utilize external authentication providers using OpenID Connect (OIDC).

Warning

Be mindful when configuring OpenID providers that may configurations that are open to the general public (e.g Google, Github). Any user that can successfully auth with the provider, will have access to the Kasm application.

../_images/login.png

Configuration

OpenID configuration can be found under the Authentication tab in the Admin Navigation Bar.

Property

Description

Display Name

This name is displayed on the login page to represent the authentication provider. (e.g Continue with Github)

Logo URL

A URL to a login logo image for the authentication provider. (e.g https://github.com/favicon.ico)

Enabled

When checked this configuration will be active.

Auto Login

When checked, the user will be automatically navigated to the OIDC provider when they view the login screen. This only applies if a single authentication provider is visible. If this configuration is set, the fixed login page (without redirection) can be accessed via /#/staticlogin

Hostname

The URL hostname (e.g kasm.example.com) of the deployment. This OIDC config will only be displayed when the deployment is accessed via this URL host name. This allows for a single deployment to service multiple tenants who may need different OIDC configurations. If Default is defined, this config will apply regardless of the host name.

Default

If checked this OIDC config will be shown on the login screen of the deployment when access with any hostname, unless another config is defined with the specific hostname.

Client ID

The Client ID received from the authentication provider.

Client Secret

The Client Secret received from the authentication provider.

Authorization URL

The authorization url for the authentication provider. (e.g https://github.com/login/oauth/authorize)

Token URL

The token url for the authentication provider. (e.g https://github.com/login/oauth/access_token)

User Info URL

The user info url for the authentication provider. (e.g https://api.github.com/user). This service will be queried if the Username Attribute or Groups Attribute are no provided by the identity provider in the id or access tokens.

Scope

The OIDC Scopes for the authentication provider. Enter one scope per line. e.g: openid email

Username Attribute

The attribute from the authentication provider to use for the username within Kasm (e.g email). The system will search the access_token, id_token and user_info api for this property.

Groups Attribute

The attribute from the authentication provider to user for group membership mapping within Kasm (e.g groups). The system will search the access_token, id_token and user_info api for this property. This field is optional, but if defined, authentication will fail if the group attribute is not found.

Debug

When checked, the OIDC access and id tokens are logged as well as the response from the user_info api if queried. TLS Verification is disabled for the Authorization URL, Token URL, and URL Info URL API interactions. This feature should remain disabled unless needed for troubleshooting.

Redirect URL

The identify provider can be configured to allow access to redirect to this URL. https://<deployment hostname>/api/oidc_callback

Note

A non redirecting login page is at https://hostname/#/staticlogin when auto login is enabled.

Group Assignment

Users that auth via OIDC, can automatically be associated with Groups defined in Kasm. To automatically assign groups:

  1. In the OpenID Authentication configuration, ensure the Groups Attribute is defined.

  2. Navigate to the Groups tab in the admin navigation bar

  3. Using the three dot menu select View of the desired group

  4. Scroll to the bottom of the screen and select Add SSO Mapping.

  5. Select the OpenID IDP for example “OpenID - test_oidc” for the SSO Provider.

  6. Enter the group name used in the identity provider (e.g sales) in the OpenID Group Name field

../_images/add_sso_group_mapping.png

Add SSO Group Mapping

Configuration Examples