OpenID Connect
Configure any OpenID Connect (OIDC) provider for single sign-on (SSO) to Seqera Platform. Keycloak, Microsoft Entra ID, and Okta are covered below, but the same steps apply to any OIDC-compliant provider.
All OIDC providers use the same Seqera environment variables (TOWER_OIDC_CLIENT, TOWER_OIDC_SECRET, TOWER_OIDC_ISSUER) and the same callback URL. Only the application setup within the provider differs.
You can combine different OAuth and OIDC provider types. However, only one OIDC provider can be configured at a time.
Create an application with your identity provider
Create an application (or client) in your identity provider, then note its client ID, client secret, and issuer URL for the next section.
In your provider settings, set the callback address (also called the authorized redirect or sign-in redirect URI) to the following, replacing <HOST> with your enterprise installation hostname (must be HTTPS):
https://<HOST>/oauth/callback/oidc
- Keycloak
- Entra ID
- Okta
You need the following:
- A Keycloak instance
- Admin access to create clients in Keycloak
See the Keycloak documentation to configure Keycloak clients.
Create a Keycloak client
- In Realm settings, verify the Endpoints field includes OpenID Endpoint Configuration.
- Go to Clients and select Create.
- Configure the client with protocol
openid-connect, access typeconfidential, and redirect URIhttps://<HOST>/oauth/callback/oidc. - In the Credentials tab, note the Secret.
- In the Keys tab, set Use JWKS URL to
OFF. - Note the issuer URL from Realm Settings > Endpoints > OpenID Configuration (the
issuervalue in the JSON), e.g.,https://keycloak.example.com/auth/realms/master.
You need the following:
- An Azure account with Microsoft Entra ID access
- Permission to create app registrations
See Microsoft's documentation on registering an application for the registration steps.
Register an Entra ID application
- In the Azure portal, go to Entra ID > App Registrations.
- Select New Registration and specify a name and supported account types.
- Set the redirect URI to
https://<HOST>/oauth/callback/oidc. - Note the Application (client) ID from the app overview.
- Go to Certificates & secrets and create a new client secret. Note the secret value.
- Go to Endpoints and note the OpenID Connect metadata document URI (up to
v2.0), e.g.,https://login.microsoftonline.com/<tenant-id>/v2.0.
User consent settings
Configure user consent settings to Allow user consent for apps to ensure admin approval is not required for each login. See User consent settings.
Add auth-oidc to the MICRONAUT_ENVIRONMENTS environment variable for both the cron and backend services.
Users on Seqera Platform version 25.2.3 and below may need to set the following environment variable to resolve an authentication method incompatibility:
MICRONAUT_SECURITY_OAUTH2_CLIENTS_OIDC_OPENID_TOKEN_AUTH_METHOD=client_secret_post
You need the following:
- An Okta organization
- Administrator access to create applications
See Okta's documentation on creating OIDC app integrations to set up the app.
Create an Okta app integration
- In the Admin Console, go to Applications > Applications.
- Select Create App Integration.
- Select OIDC - OpenID Connect as the sign-in method and Web Application as the application type.
- Enter a name for the app, e.g.,
Seqera. - Set the sign-in redirect URI to
https://<HOST>/oauth/callback/oidc. - Set the sign-out redirect URI to
https://<HOST>/logout. - Note the Client ID and Client secret from the application settings.
- Note the Issuer URL from Sign On > OpenID Connect ID Token.
Connection strings can differ based on the issuer type. Verify the issuer URL via the Okta console.
Configure Seqera
Add the following environment variables to your Seqera backend service configuration:
| Variable | Description |
|---|---|
TOWER_OIDC_CLIENT | The client ID provided by your identity provider |
TOWER_OIDC_SECRET | The client secret provided by your identity provider |
TOWER_OIDC_ISSUER | The issuer URL provided by your identity provider |
Some providers require the full authentication service URL while others require only the SSO root domain (without the trailing sub-directories).
If you plan to use IdP-delegated teams, your OIDC token must include a groups claim. See IdP claim mapping for the per-IdP configuration steps.
Restrict access
To restrict access to specific email addresses or domains, configure an allow list in tower.yml:
tower:
auth:
oidc:
allow-list:
- "*@your-company.example.com"
- "specific-user@another-company.example.net"
See User access allow list for more information.