Skip to main content
Version: 26.1

OpenID Connect

Configure any OpenID Connect (OIDC) provider for single sign-on (SSO) to Seqera Platform. Keycloak, Microsoft Entra ID, and Okta are covered below, but the same steps apply to any OIDC-compliant provider.

All OIDC providers use the same Seqera environment variables (TOWER_OIDC_CLIENT, TOWER_OIDC_SECRET, TOWER_OIDC_ISSUER) and the same callback URL. Only the application setup within the provider differs.

note

You can combine different OAuth and OIDC provider types. However, only one OIDC provider can be configured at a time.

Create an application with your identity provider

Create an application (or client) in your identity provider, then note its client ID, client secret, and issuer URL for the next section.

In your provider settings, set the callback address (also called the authorized redirect or sign-in redirect URI) to the following, replacing <HOST> with your enterprise installation hostname (must be HTTPS):

https://<HOST>/oauth/callback/oidc
Prerequisites

You need the following:

  • A Keycloak instance
  • Admin access to create clients in Keycloak

See the Keycloak documentation to configure Keycloak clients.

Create a Keycloak client

  1. In Realm settings, verify the Endpoints field includes OpenID Endpoint Configuration.
  2. Go to Clients and select Create.
  3. Configure the client with protocol openid-connect, access type confidential, and redirect URI https://<HOST>/oauth/callback/oidc.
  4. In the Credentials tab, note the Secret.
  5. In the Keys tab, set Use JWKS URL to OFF.
  6. Note the issuer URL from Realm Settings > Endpoints > OpenID Configuration (the issuer value in the JSON), e.g., https://keycloak.example.com/auth/realms/master.

Configure Seqera

Add the following environment variables to your Seqera backend service configuration:

VariableDescription
TOWER_OIDC_CLIENTThe client ID provided by your identity provider
TOWER_OIDC_SECRETThe client secret provided by your identity provider
TOWER_OIDC_ISSUERThe issuer URL provided by your identity provider

Some providers require the full authentication service URL while others require only the SSO root domain (without the trailing sub-directories).

note

If you plan to use IdP-delegated teams, your OIDC token must include a groups claim. See IdP claim mapping for the per-IdP configuration steps.

Restrict access

To restrict access to specific email addresses or domains, configure an allow list in tower.yml:

tower:
auth:
oidc:
allow-list:
- "*@your-company.example.com"
- "specific-user@another-company.example.net"

See User access allow list for more information.