Replies: 5 comments 7 replies
-
So far I don't know how SAML or OIDC work. But as you mentioned mTLS, cockpit does support TLS certificate based authentication (like with smartcards). That uses the "reverse proxy with some HTTP Header to pass the user ID" approach, cockpit-tls implements that. Other than that, you can also implement any custom authentication schema and configure it in cockpit.conf. This supports e.g. Bearer token (for SSO or oauth2). However, this is not well documented nor are there a lot of good existing examples. Sorry for lack of details, just wanted to paint some initial broad strokes in which direction this could go. |
Beta Was this translation helpful? Give feedback.
-
It would be super helpful to auth cockpit through google workspace SSO flow using SAML or OIDC as @ygini suggested. |
Beta Was this translation helpful? Give feedback.
-
Cockpit using standart linux authentication, so all needed - deploy oidc via pam. I'm searching right way for it now. |
Beta Was this translation helpful? Give feedback.
-
so i don't think that's accurate, pam_oidc implants login through oidc, but it doesn't implant SSO in each server you can login through pam_odic when you provide a token, but you will have to provide that token every single time for each server session on each server. same as you type password, you input it every single time. |
Beta Was this translation helpful? Give feedback.
-
In NPM, I added this for services that do not support OIDC but has basic HTTP authentication. I then integrated it into Authentik reverse proxy authentication and it works as expected:
Perhaps it is feasible to use a similar approach with a reverse proxy authentication ? Is there a way to pass headers with correct values to bypass authentication? check this. |
Beta Was this translation helpful? Give feedback.
-
Hello,
I'm interested to deploy cockpit to help our production team to easily manage edge nodes in a decentralized context.
We don't have legacy directory service like AD or anything using Kerberos.
Also, we just don't have passwords. All our authentication are using so-called "modern" authentication, which is basically federation via SAML or OIDC to our IDP.
And then the IDP will use mTLS to authenticate the user and will handle role based rules to allow or not access to a service.
I would like to integrate Cockpit to that context: having website for cockpit doing SSO and allowing our team to access all host capabilities without the need to know a password.
I see two option to do so:
Is there a chance to have one or the other mechanism working? Or something else?
Cheers
Beta Was this translation helpful? Give feedback.
All reactions