Authentication Options for DevOps Dashboard#

The DevOps Dashboard supports multiple authentication methods, enabling organizations to integrate with their existing identity infrastructure and security policies.

This guide assumes you have already completed the basic DevOps Dashboard setup, including enabling OAuth-protected RESTCONF and the DevOps Dashboard itself.

Available Authentication Methods#

There are several ways to authenticate administrators to the DevOps Dashboard:

  1. Local Accounts (Default): Uses the html-form authenticator with local admin accounts stored in Curity’s account manager.

  2. SAML Authentication: Integrates with enterprise SAML identity providers for single sign-on (SSO) with corporate credentials.

  3. OpenID Connect Authentication: Connects to OIDC providers (Microsoft Entra ID, Okta, Google, etc.) for modern OAuth-based authentication.

  4. Multi-Factor Authentication: Requires a second factor (SMS, TOTP, etc.) in addition to primary authentication.

This guide shows you how to configure different authentication methods for the DevOps Dashboard.

How DevOps Dashboard Authentication Works#

Unlike the Admin UI (which has its own federated login configuration in System → Deployment → Admin Service), the DevOps Dashboard authenticates through an OAuth client configuration.

Architecture Note: In Curity Identity Server, authenticators are configured in the authentication profile, while OAuth profiles (token services) reference these authenticators when configuring clients. This separation allows multiple OAuth profiles to share the same authentication methods.

The authentication flow:

  1. User accesses the DevOps Dashboard
  2. Dashboard redirects to the OAuth authorization endpoint
  3. User sees the authenticator(s) configured in the OAuth client’s Allowed Authenticators setting
  4. After successful authentication, an authorization code is returned
  5. Access token is exchanged and used for RESTCONF API access

Key Concept: The OAuth client’s User Authentication → Allowed Authenticators setting controls which authentication methods users see when logging into the DevOps Dashboard. These authenticators must exist in the authentication profile.

Configuring Authentication Methods#

Step 1: Create or Configure Your Authenticator#

Authenticators are configured in the authentication profile (not in individual OAuth profiles).

Navigate to ProfilesauthenticationAuthenticators to view and manage all available authentication methods:

Authenticators list in the authentication profile showing various authentication methods including HTML form, SAML, OIDC, and MFA options

Example: SAML Authenticator#

  1. In the Admin UI, go to ProfilesauthenticationAuthenticators
  2. Click New Authenticator and select SAML
  3. Configure your SAML Service Provider settings:
    • Entity ID (e.g., https://your-domain.com/dashboard)
    • Import Identity Provider metadata
    • Configure attribute mapping
<authenticator>
    <id>SAML</id>
    <authentication-context-class-reference>urn:virtual:assertion-sig:saml</authentication-context-class-reference>
    <description>Virtual SAML (saml2 replaces saml)</description>
    <saml2 xmlns="https://curity.se/ns/conf/authenticators/saml2">
      <issuer-entity-id>se.curity</issuer-entity-id>
      <idp-entity-id>virtual-idp</idp-entity-id>
      <idp-url>https://127.0.0.1:1234/saml/idp/sign-assertion</idp-url>
      <signature-verification-key>virtual-idp-signer</signature-verification-key>
      <wants-response-signed>false</wants-response-signed>
      <wants-assertion-signed>true</wants-assertion-signed>
    </saml2>
</authenticator>

Example: OIDC Authenticator#

  1. In the Admin UI, go to ProfilesauthenticationAuthenticators
  2. Click New Authenticator and select OpenID Connect
  3. Configure your OIDC settings:
    • Client ID and Client Secret (from your identity provider)
    • Discovery URL or manual endpoint configuration
    • Requested scopes
<authenticator>
    <id>oidc1</id>
    <oidc xmlns="https://curity.se/ns/conf/authenticators/oidc">
      <configuration-url>https://localhost:7777/.well-known/openid-configuration</configuration-url>
      <client-id>virt-client</client-id>
      <client-secret>client-secret</client-secret>
      <http-client>trustStoreHttpClient</http-client>
    </oidc>
</authenticator>

For detailed authenticator configuration, see the Curity Authenticators Guide.

Step 2: Update the OAuth Client Configuration#

Once your authenticator is configured in the authentication profile, update the DevOps Dashboard OAuth client to use it:

  1. Navigate to Profiles[your-oauth-profile]Clients
  2. Select the DevOps Dashboard client (e.g., devops_dashboard_restconf_client)
  3. Scroll down to the User Authentication section
  4. In the Allowed Authenticators field, select your federated authenticator
  5. Save or Commit the changes

You can select multiple authenticators to give users a choice of authentication methods. Each authenticator will appear as a separate option on the login screen.

OAuth client configuration showing multiple allowed authenticators

Important: Ensure your authenticator is fully configured and tested before removing html-form from the allowed authenticators list. Misconfiguration could lock administrators out of the dashboard.

DevOps Dashboard login screen showing multiple authentication options

Configuring Multi-Factor Authentication#

To require MFA for DevOps Dashboard access, create an MFA action that wraps your primary authenticator:

<authentication-action>
<id>MFA</id>
<multi-factor-condition xmlns="https://curity.se/ns/ext-conf/multi-factor-condition">
  <subject-condition>
    <subject-pattern-condition>
      <subject-pattern>test</subject-pattern>
      <second-factor>
        <id>TOTP</id>
      </second-factor>
      <allow-authentication-with-sso-for-second-factor>true</allow-authentication-with-sso-for-second-factor>
    </subject-pattern-condition>
  </subject-condition>
</multi-factor-condition>
</authentication-action>

Then update the OAuth client’s Allowed Authenticators to use mfa-dashboard-auth.

For more details, see the Conditional Multi-Factor action documentation.

Claims and Attribute Mapping#

Configure claims providers to map user attributes from your authentication provider to the tokens issued for DevOps Dashboard access:

<authentication-subject-claims-provider>
  <id>authentication-claims</id>
  <claim>
    <name>email</name>
    <value>${request.subject.email}</value>
  </claim>
  <claim>
    <name>groups</name>
    <value>${request.subject.memberOf}</value>
  </claim>
</authentication-subject-claims-provider>

The groups claim can be used for access control to restrict which administrators can access specific DevOps Dashboard features.

Was this helpful?