OpenID Authentication

Kasm can utilize external authentication providers using OpenID Connect (OIDC).

Warning

Be mindful when configuring OpenID providers that are public. Any user that can successfully authenticate with the provider will have access to your deployment of Kasm Workspaces. While access to Kasm Workspace apps and desktops can be resitricted with Kasm group permissions, any user of the public authentication provider would still be able to login to your deployment of Kasm. It is recommended to use a private OpenID provider unless your intention is to allow authentictioned access to all users of the OpenID platform provider.

../_images/login.webp

Kasm Login

Configuration

OpenID configuration can be found under the Access Management -> Authentication tab in the Admin Navigation Bar.

Property

Description

Display Name

This name is displayed on the login page to represent the authentication provider. (e.g Continue with Github)

Logo URL

A URL to a login logo image for the authentication provider. (e.g https://github.com/favicon.ico)

Enabled

When checked this configuration will be active.

Auto Login

When checked, the user will be automatically navigated to the OIDC provider when they view the login screen. This only applies if a single authentication provider is visible. If this configuration is set, the fixed login page (without redirection) can be accessed via /#/staticlogin

Hostname

The URL hostname (e.g kasm.example.com) of the deployment. This OIDC config will only be displayed when the deployment is accessed via this URL host name. This allows for a single deployment to service multiple tenants who may need different OIDC configurations. If Default is defined, this config will apply regardless of the host name.

Default

If checked this OIDC config will be shown on the login screen of the deployment when access with any hostname, unless another config is defined with the specific hostname.

Client ID

The Client ID received from the authentication provider.

Client Secret

The Client Secret received from the authentication provider.

Authorization URL

The authorization url for the authentication provider. (e.g https://github.com/login/oauth/authorize)

Token URL

The token url for the authentication provider. (e.g https://github.com/login/oauth/access_token)

User Info URL

The user info url for the authentication provider. (e.g https://api.github.com/user). This service will be queried if the Username Attribute or Groups Attribute are no provided by the identity provider in the id or access tokens.

Scope

The OIDC Scopes for the authentication provider. Enter one scope per line. e.g: openid email

Username Attribute

The attribute from the authentication provider to use for the username within Kasm (e.g email). The system will search the access_token, id_token and user_info api for this property.

Groups Attribute

The attribute from the authentication provider to user for group membership mapping within Kasm (e.g groups). The system will search the access_token, id_token and user_info api for this property. This field is optional, but if defined, authentication will fail if the group attribute is not found.

Debug

When checked, the OIDC access and id tokens are logged as well as the response from the user_info api if queried. TLS Verification is disabled for the Authorization URL, Token URL, and URL Info URL API interactions. This feature should remain disabled unless needed for troubleshooting.

Redirect URL

The identify provider can be configured to allow access to redirect to this URL. https://<deployment hostname>/api/oidc_callback

Note

A non redirecting login page is at https://hostname/#/staticlogin when auto login is enabled.

Group Assignment

Users that auth via OIDC, can automatically be associated with Groups defined in Kasm. To automatically assign groups:

  1. In the OpenID Authentication configuration, ensure the Groups Attribute is defined.

  2. Navigate to the Access Management -> Groups tab in the admin navigation bar.

  3. Using the arrow menu select Edit of the desired group

  4. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

  5. Select the OpenID IDP for example “OpenID - test_oidc” for the SSO Provider.

  6. Enter the group name used in the identity provider (e.g sales) in the OpenID Group Name field

../_images/add_sso_group_mapping.webp

Add SSO Group Mapping

OpenID Attribute Mapping

Additional OpenID attributes can be passed with the login redirect. Administrators can optionally map those attribute values to fields on the Kasm user. See the documentation for your OpenID provider for a listing of attributes.

These can be configured by editing an existing OpenID Authentication configuration, if creating a new configuration you will need to submit and edit to add them.

The following Kasm User fields can be populated with values from OpenID attributes.

  • First Name

  • Last Name

  • Phone

  • Organization

  • Notes

  • City

  • State

  • Country

  • Email

  • Custom Attribute 1

  • Custom Attribute 2

  • Custom Attribute 3

../_images/oidc_attribute_mapping.webp

Attribute Mapping

Note

Kasm can log all OpenID attributes present in the login event, this is helpful for determining the attribute names. Add an OpenID Attribute Mapping with an attribute name of ‘debug’ and target any user field. The next time a user logs in, all OpenID attributes and values will be logged by Kasm.

Configuration Examples