1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
# yamllint disable rule:line-length
---
- id: 'okta-authentication'
meta:
name: 'Okta SSO'
link: 'https://netdata.cloud'
categories:
- auth
icon_filename: 'okta.png'
keywords:
- sso
- okta
- okta-sso
overview:
authentication_description: "Integrate your organization's Okta account with Netdata to better manage your team's access controls to Netdata Cloud."
authentication_limitations: ''
setup:
description: |
### Prerequisites
- An Okta account
- A Netdata Cloud account
- Access to the Space as an **Admin**
- Space needs to be on a paid plan
### Setting up Okta
Steps needed to be done on Okta Admin Portal:
1. Click on **Applications** tab and choose to **Browse App Catalogue**
2. Find Netdata's preconfigured app for easy setup and click **Add Integration**
3. Give the app, that will be in your apps dashboard, the preferred **Application label** and click **Next** to move to the Sign-On options tab
4. In the **Sign-On Options** all the values we expect are already filled and no additional data is required
5. Click **Done**. You are able to go back and edit any fields later if need be
6. Go to the **Assignments** tab and enter the People or Group assignments as per your organization’s policies
### Netdata Configuration Steps
1. Click on the Space settings cog (located above your profile icon)
2. Click on the **User Management** section and access **Authentication and Authorization** tab.
3. On the Okta SSO card, click on **Configure**
4. Fill in the [required credentials](https://developer.okta.com/docs/guides/find-your-app-credentials/main/), you get them from **Okta Admin Portal**:
- **Issuer URL** you can get it from your profile icon on top, e.g. `https://company-name.okta.com`
- **Client ID** you can get it from **General** tab on application you configured on Okta
- **Client Secret** you can get it from **General** tab on application you configured on Okta
### Supported features
* SP-initiated SSO (Single Sign-On)
* IdP-initiated SSO
### SP-initiated SSO
If you start your authentication flow from Netdata sign-in page please check [these steps](/docs/netdata-cloud/authentication-and-authorization/enterprise-sso-authentication.md#from-netdata-sign-up-page).
- id: 'oidc-authentication'
meta:
name: 'OIDC'
link: 'https://netdata.cloud'
categories:
- auth
icon_filename: 'openid.svg'
keywords:
- sso
- oidc
overview:
authentication_description: "Integrate your organization's Authorization Servers with Netdata to better manage your team's access controls to Netdata Cloud."
authentication_limitations: ''
setup:
description: |
### Prerequisites
- Authorization Server with OIDC protocol supported
- A Netdata Cloud account
- Access to the Space as an **Admin**
- Space needs to be on a paid plan
### Setting up Authorization Server
Your server should follow the [full specification for OIDC](https://openid.net/specs/openid-connect-core-1_0.html).
In order to integrate your Authorization Server with Netdata the creation of a client is required. Clients are applications and services that can request authentication of a user.
The access settings for your client are the following:
| field | value |
| :-- | :-- |
| Root URL | `https://app.netdata.cloud/`` |
| Home/Initiate login URL | `https://app.netdata.cloud/api/v2/auth/account/auth-server?iss={your-server-issuer-url}&redirect_uri=https://app.netdata.cloud/sign-in®ister_uri=https://app.netdata.cloud/sign-up/verify` |
| Redirect URL | `https://app.netdata.cloud/api/v2/auth/account/auth-server/callback` |
### Netdata Configuration Steps
1. Click on the Space settings cog (located above your profile icon)
2. Click on the **User Management** section and access **Authentication and Authorization** tab.
3. On the OIDC card, click on **Configure**
4. Fill in the required credentials:
- **Issuer URL** the Authorization Server Issuer URL, e.g. `https://my-auth-server.com/`
- **Client ID** the Client ID from the created client
- **Client Secret** the Client Secret from the created client
- **Authorization URL** the Authorization Server authorization URL, e.g. `https://my-auth-server.com/openid-connect/auth`
- **Token URL** the Authorization Server token URL, e.g. `https://my-auth-server.com/openid-connect/token`
- **User URL** the Authorization Server user info URL, e.g. `https://my-auth-server.com/openid-connect/userinfo`
### Supported features
* SP-initiated SSO (Single Sign-On)
* IdP-initiated SSO
### SP-initiated SSO
If you start your authentication flow from Netdata sign-in page please check [these steps](/docs/netdata-cloud/authentication-and-authorization/enterprise-sso-authentication.md#from-netdata-sign-up-page).
### Reference
https://openid.net/developers/how-connect-works/
- id: 'scim'
meta:
name: 'SCIM'
link: 'https://netdata.cloud'
categories:
- auth
icon_filename: 'scim.svg'
keywords:
- scim
- identity-management
overview:
authentication_description: "The System for Cross-domain Identity Management (SCIM) specification is designed to simplify the management of user identities in cloud-based applications and services."
authentication_limitations: ''
setup:
description: |
### Prerequisites
- A Netdata Cloud account
- Admin access to the Space
- The Space must be on a paid plan
- OIDC/SSO integration must already be enabled in one of your Spaces
### Netdata Configuration Steps
1. Click on the Space settings cog (located above your profile icon).
2. Click on the **User Management** section and access **Authentication and Authorization** tab.
3. In the SCIM card, click on **Activate**.
4. Depending on your situation:
- If OIDC/SSO integration is already enabled in your Space, click **Activate**.
- If you already have a SCIM integration in another Space and want to create a linked integration here, enter the SCIM token from the original integration and click **Activate**.
5. If the setup is successful, you will receive two parameters:
- **Base URL**: Use this URL as the base URL for your SCIM client.
- **Token**: Use this token for Bearer Authentication with your SCIM client.
### Rotating the SCIM Token
You can rotate the token provided during SCIM integration setup if needed.
Steps to rotate the token:
1. Click on the Space settings cog (located above your profile icon).
2. Click on the **User Management** section and access **Authentication and Authorization** tab.
3. In the already configured SCIM card, click **Configure**.
4. Click **Regenerate Token**.
5. If successful, you will receive a new token for Bearer Authentication with your SCIM client.
### Supported Features
This integration adheres to SCIM v2 specifications. Supported features include:
- User Resource Management (urn:ietf:params:scim:schemas:core:2.0:User)
- Patch operations: Supported
- Bulk operations: Not supported
- Filtering: Supported (max results: 200)
- Password synchronization: Not supported, as we rely on SSO/OIDC authentication
- eTag: Not supported
- Authentication schemes: OAuth Bearer Token
### User Keying Between SCIM and OIDC
Our SCIM (System for Cross-domain Identity Management) integration utilizes OIDC (OpenID Connect) to authenticate users.
To ensure users are correctly identified and authenticated between SCIM and OIDC, we use the following mapping:
- SCIM externalID ↔ OIDC sub
This mapping ensures that the identity of users remains consistent and secure across both systems.
**Important**: Ensure that your OIDC and SCIM systems follow this mapping strictly.
The externalID in SCIM must correspond to the subfield in OIDC. Any deviation from this mapping may result
in incorrect user identification and authentication failures.
### Reference
[SCIM Specification](https://scim.org)
|