Aleph

On this page

Last updated on 2024-09-03.
Edit this page on GitHub.

How To Configure an Identity Provider

Aleph ships with a built-in password authentication system. However, for production deployments, we recommend delegating authentication to an external identity provider. If you’re organization already uses an identity provider, this allows your users to use Aleph without setting up a separate account. Even if you do not use an identity provider, this provides additional security features such as multi-factor authentication.

Disable password authentication

When setting up an external identity provider, you most like won’t want users to create accounts using Aleph’s built-in password authentication system. You can disable password authentication by setting the ALEPH_PASSWORD_LOGIN configuration option to false.

If you do not disable password authentication, anyone will still be able to create an account or sign in using password authentication.

Configure OAuth

Aleph has built-in support for the identity providers listed below. Other identity providers that support the OpenID Connect standard should work with Aleph, too.

However, we can unfortunately not guarantee that the instructions below are always up to date. If you’re using one of the identity providers listed below and find that the instructions are outdated or if you use an identity provider not listed we’d appreciate if you could open a pull request with updated instructions.

Google

User groups are not standardized in OpenID and Aleph currently doesn’t support syncing user groups when using Google as an identity provider.

  1. Create an OAuth client in the Google Cloud console. Please refer to the Google Cloud documentation for detailed instructions.

  2. If you want to allow only users in your organization to access your Aleph instance, make sure to select the correct user type.

  3. In the Google Cloud console, add Aleph’s OAuth endpoint as an authorized redirect URI. For example, if your Aleph instance is available at https://example.org, add the following authorized redirect URI:

    https://example.org/api/2/sessions/callback

  4. After creating a new OAuth client in the Google Cloud console, set the following Aleph configuration options:

    Configuration optionValue
    ALEPH_OAUTHtrue
    ALEPH_OAUTH_KEYClient ID
    ALEPH_OAUTH_SECRETClient secret
    ALEPH_OAUTH_METADATA_URLhttps://accounts.google.com/.well-known/openid-configuration

Keycloak

  1. In Keycloak, create a new OpenID Connect client. Please refer to the Keycloak documentation for detailed instructions.

  2. In Keycloak, add Aleph’s OAuth endpoint as a redirect URI. For example, if your Aleph instance is available at https://example.org, add the following redirect URI:

    https://example.org/api/2/sessions/callback

  3. You also need the OpenID configuration endpoint of your Keycloak instance. For example, if your Keycloak instance is hosted at https://keycloak.example.org and you use a realm named aleph the OpenID configuration endpoint would be:

    https://keycloak.example.org/auth/realms/aleph/.well-known/openid-configuration

    You can also find the OpenID configuration endpoint in the realm settings in the Keycloak admin interface.

  4. After creating a new client in Keycloak, set the following Aleph configuration options:

    Configuration optionValue
    ALEPH_OAUTHtrue
    ALEPH_OAUTH_KEYClient ID
    ALEPH_OAUTH_SECRETClient secret
    ALEPH_OAUTH_METADATA_URLOpenID configuration endpoint (see previous step)

Microsoft Entra ID (formerly Azure Active Directory)

  1. Register a new application in the Microsoft Entra admin center. Please refer to the Microsoft Entra ID documentation for detailed instructions.

  2. If you want to allow only users in your organization to access your Aleph instance, make sure to select the correct account type.

  3. In the Microsoft Entra admin center, add Aleph’s OAuth endpoint as a redirect URI. For example, if your Aleph instance is available at https://example.org, add the following redirect URI:

    https://example.org/api/2/sessions/callback

  4. You also need the OpenID configuration endpoint of the app you created in the first step. Please refer to the Microsoft Entra ID documentation for instructions on how to find your OpenID configuration endpoint.

  5. After creating a new client in Keycloak, set the following Aleph configuration options:

    Configuration optionValue
    ALEPH_OAUTHtrue
    ALEPH_OAUTH_KEYClient ID
    ALEPH_OAUTH_SECRETClient secret
    ALEPH_OAUTH_METADATA_URLOpenID configuration endpoint (see previous step)