SSO (SAML or OIDC) with Cockpit? #19056

ygini · 2023-07-04T05:46:53Z

ygini
Jul 4, 2023

Hello,

I'm interested to deploy cockpit to help our production team to easily manage edge nodes in a decentralized context.

We don't have legacy directory service like AD or anything using Kerberos.

Also, we just don't have passwords. All our authentication are using so-called "modern" authentication, which is basically federation via SAML or OIDC to our IDP.

And then the IDP will use mTLS to authenticate the user and will handle role based rules to allow or not access to a service.

I would like to integrate Cockpit to that context: having website for cockpit doing SSO and allowing our team to access all host capabilities without the need to know a password.

I see two option to do so:

native OIDC / SAML support in cockpit or via a plug-in
reverse proxy with some HTTP Header to pass the user ID

Is there a chance to have one or the other mechanism working? Or something else?

Cheers

martinpitt · 2023-07-17T05:29:55Z

martinpitt
Jul 17, 2023
Maintainer

So far I don't know how SAML or OIDC work. But as you mentioned mTLS, cockpit does support TLS certificate based authentication (like with smartcards). That uses the "reverse proxy with some HTTP Header to pass the user ID" approach, cockpit-tls implements that.

Other than that, you can also implement any custom authentication schema and configure it in cockpit.conf. This supports e.g. Bearer token (for SSO or oauth2). However, this is not well documented nor are there a lot of good existing examples. Sorry for lack of details, just wanted to paint some initial broad strokes in which direction this could go.

3 replies

ygini Jul 17, 2023
Author

mTLS implementation inside cockpit is not appropriate for many reason (especially the management of the user database).

And yes, I've seen "we can implement our own", but I'm just disapointed to see no default implementation of this "own" for largely used standard like SAML or OIDC…

jelly Jan 8, 2024
Collaborator

Cockpit was developed to fully integrate with PAM as auth mechanism, so that is another route you could take using pam_oath. I have no experience with that PAM module however.

mwmahlberg Feb 12, 2024

@jelly Stating the obvious sometimes helps to remind one of the basics.

SEJeff · 2023-12-28T06:02:07Z

SEJeff
Dec 28, 2023

It would be super helpful to auth cockpit through google workspace SSO flow using SAML or OIDC as @ygini suggested.

0 replies

vaminakov · 2024-04-11T08:00:48Z

vaminakov
Apr 11, 2024

Cockpit using standart linux authentication, so all needed - deploy oidc via pam. I'm searching right way for it now.

2 replies

moutasem1989 Oct 14, 2024

have you managed to get it working?

vaminakov Oct 14, 2024

Not yet

cxfcxf · 2024-05-03T03:52:31Z

cxfcxf
May 3, 2024

Cockpit using standart linux authentication, so all needed - deploy oidc via pam. I'm searching right way for it now.

so i don't think that's accurate, pam_oidc implants login through oidc, but it doesn't implant SSO

in each server you can login through pam_odic when you provide a token, but you will have to provide that token every single time for each server session on each server.

same as you type password, you input it every single time.

0 replies

moutasem1989 · 2024-10-19T18:42:15Z

moutasem1989
Oct 19, 2024

In NPM, I added this for services that do not support OIDC but has basic HTTP authentication. I then integrated it into Authentik reverse proxy authentication and it works as expected:

location /login {
    proxy_pass  $forward_scheme://$server:$port/login;
    proxy_set_header Authorization "Basic wersdfxcvetc";     #base64 of username:password
    proxy_pass_header Authorization;
}

Perhaps it is feasible to use a similar approach with a reverse proxy authentication ? Is there a way to pass headers with correct values to bypass authentication?

check this.

1 reply

moutasem1989 Oct 20, 2024

this is the working custom configuration of NPM with Authentik reverse proxy authentication

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    # proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...
    proxy_set_header        Host $host;
    proxy_set_header Authorization "Basic abcxyz==";  #base64 of user:password 
    proxy_pass_header Authorization;
    proxy_pass  $forward_scheme://$server:$port;

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
    #add_header X-calibre-web-user "CloudAdmin" always;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              https://authentik-server:9443/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

it auto authenticates in to Cockpit and then do a reverse proxy authentication with Authentik

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SSO (SAML or OIDC) with Cockpit? #19056

{{title}}

Replies: 5 comments 6 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

SSO (SAML or OIDC) with Cockpit? #19056

Replies: 5 comments · 6 replies

martinpitt Jul 17, 2023 Maintainer

ygini Jul 17, 2023 Author

jelly Jan 8, 2024 Collaborator

Replies: 5 comments 6 replies

martinpitt
Jul 17, 2023
Maintainer

ygini Jul 17, 2023
Author

jelly Jan 8, 2024
Collaborator