User authentication
Overview
Flex supports Jetty (File, LDAP, DB), SAML, OpenID and OAuth for authentication.
Read on to learn how to easily integrate Flex with Okta, AWS SSO, Azure AD, GitHub, Keycloak, and more.
Jetty authentication
Flex is built on the Eclipse Jetty Web server.
See: The Application logs guide to enable Jetty JAAS Debug Logging.
Set HTTP_FORWARDED=true
when running Flex behind a proxy with Jetty authentication
Jetty provides a number of JAAS (Java Authentication and Authorization) integrations including:
- PropertyFileLoginModule: user credentials are stored in a property file.
- LdapLoginModule: user credentials are stored in LDAP.
- JDBCLoginModule: user credentials are stored in a DB accessed via JDBC.
- DataSourceLoginModule: similar to JDBC but uses a JNDI Datasource to connect to the DB.
Flex supports all of these Jetty JAAS integrations. Details of each are in this guide.
SAML authentication
Flex is easily configured to be a Service Provider and integrates with any SAML Identity Provider, we include specific guides for Azure AD integration, Okta integration, AWS SSO integration, and Keycloak integration in this guide.
Note: When running Flex with a reverse-proxy for HTTPS termination (rather than HTTPS connections care must be taken with the scheme of configured authentication URI.
OpenID and OAuth 2.0 authentication
Flex supports integration with Okta (OpenID) and GitHub (OAuth 2.0) SSO providers as well as generic providers. See: OpenID Connect
Need a Provider Added? Just email [email protected] and we'll estimate delivery.
Flex and User authentication
With authentication configured Flex requires all users to authenticate prior to accessing the UI.
Note: Access to Prometheus endpoints remains unauthenticated.
When Jetty authentication is configured users will be prompted with form-based or basic login prompts.
Regardless of the mechanism used for authentication, all users can view their profile information.