Kpow supports Jetty (File, LDAP, DB), SAML, OpenID and OAuth for authentication.
Read on to learn how to easily integrate Kpow with Okta, AWS SSO, Azure AD, GitHub, Keycloak, and more.
Kpow is built on the Eclipse Jetty Web server.
HTTP_FORWARDED=true when running Kpow behind a proxy with Jetty authentication
Jetty provides a number of JAAS (Java Authentication and Authorization) integrations including:
- PropertyFileLoginModule: user credentials are stored in a property file.
- LdapLoginModule: user credentials are stored in LDAP.
- JDBCLoginModule: user credentials are stored in a DB accessed via JDBC.
- DataSourceLoginModule: similar to JDBC but uses a JNDI Datasource to connect to the DB.
Kpow supports all of these Jetty JAAS integrations. Details of each are in this guide.
Kpow is easily configured to be a Service Provider and integrates with any SAML Identity Provider, we include specific guides for Azure AD integration, Okta integration, AWS SSO integration, and Keycloak integration in this guide.
Note: When running Kpow with a reverse-proxy for HTTPS termination (rather than HTTPS connections care must be taken with the scheme of configured authentication URI.
OpenID and OAuth 2.0 authentication
Kpow and User authentication
With authentication configured Kpow requires all users to authenticate prior to accessing the UI.
Note: Access to Prometheus endpoints remains unauthenticated.
When Jetty authentication is configured users will be prompted with form-based or basic login prompts.
Regardless of the mechanism used for authentication, all users can view their profile information.