Here I am trying to explain how to integrate Authentik SSO with Portainer, using OAuth2/OpenID.
Before we start, I assume you have a Portainer Installation and Authentik Installtion ready.
For Authenthik, you can follow my other guide.
Vineeth
Prerequisites
- Portainer Installation
portainer.example.com - Authentik Installtion
sso.example.com
Create OAuth2/OpenID Provider On Authentik
login to your authentik installation and go to admin dashboard. Under Providers, create an OAuth2/OpenID Provider with these settings:
Protocol Settings
- Name:
Portainer Client ID: Copy and Save this for LaterClient Secret: Copy and Save this for later- Redirect URIs/Origins:
https://portainer.example.com
Create Portainer Application On Authentik
Move to Application tab and create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name:
Portainer - Slug:
portainer - Provider:
Portainer - Launch URL:
https://portainer.example.com
Now let's make changes in Portainer.
Configure OAuth2/OpenID in Portainer
Under Settings tab, Authentication, Select OAuth and Custom
Enter Below Details.
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- Authorization URL:
https://auth.example.com/application/o/authorize/ - Access Token URL:
https://auth.example.com/application/o/token/ - Redirect URL:
https://portainer.example.com - Resource URL:
https://auth.example.com/application/o/userinfo/ - Logout URL:
https://auth.example.com/application/o/portainer/end-session/ - User Identifier:
email - Scopes:
email openid profile
Once you save the settings, move to users section
create user with username as email id, make sure this user present in Authentik. if you want the user to be admin, enable the same.
Test the Setup
log-out the portainer application and access https://portainer.example.com. You will see an option to login with OAuth2/OpenID.
Now you have Portainer with Authentik OAuth.