An auth system determines how users can log in to Astronomer Software. By default, Astronomer Software allows users to create an account and authenticate using one of the following methods:
Integrating an external identity provider (IdP) greatly increases the security of your platform. When you integrate your IdP into Astronomer Software:
In addition to the default methods, Astronomer provides the option to integrate any IdP that follows the Open Id Connect (OIDC) protocol. This includes (but is not limited to):
After you integrate your IdP, you can invite users that already have an account on your IdP to Astronomer Software. For a more advanced integration, you can configure SCIM so that you can manage users directly from your IdP and import batches of users into Astronomer Software as Teams.
App Registrations on AzureIn Microsoft Entra ID, click App registrations > New registration.
Complete the following sections:
https://houston.BASEDOMAIN/v1/oauth/redirect/.https://houston.BASEDOMAIN/v1/oauth/callback/.Replace BASEDOMAIN with your own. For example, if your base domain is example.com, your redirect URIs should be https://houston.example.com/v1/oauth/redirect/ and https://houston.example.com/v1/oauth/callback/.
Click Register.
Click Authentication in the left menu.
In the Web area, confirm the redirect URI is correct.
In the Implicit grant and hybrid flows area, select Access tokens and ID tokens.
Click Save.
Complete this setup only if you want to import Microsoft Entra ID groups to Astronomer Software as Teams.
In your Microsoft Entra ID application management left menu, click Certificates & secrets.
Click New client secret.
Enter a description in the Description field and then select an expiry period in the Expires list.
Click Add.
Copy the values in the Value and Secret ID columns.
Click API permissions in the left menu.
Click Microsoft Graph and add the following minimum permissions for Microsoft Graph:
emailGroup.Read.AllopenidprofileUser.ReadFor each of these permissions, select Grant Admin Consent for Astronomer Data. Your Microsoft Graph permissions should look similar to the following image:
Click Token configuration in the left menu.
Click Add groups claim and select the following options:
Click Add.
Encrypt the secret value you copied as a Kubernetes Secret on your Astronomer installation. See Store and encrypt identity provider secrets.
Add the following values to your values.yaml file:
Then, push the configuration change to your platform. See Apply a config change.
Integrating an external identity provider with Astronomer requires that the platform’s Houston API component is able to make outbound HTTPS requests to those identity providers in order to fetch discovery documents, sign keys, and ask for user profile information upon login/signup.
If your install is configured without a direct connection to the internet you will need to configure an HTTPS proxy server for Houston.
To configure the proxy server used we need to set the GLOBAL_AGENT_HTTPS_PROXY Environment Variable for the Houston deployment.
To do so, add the following to the Houston section of the values.yaml file in your astronomer directory:
Then, push the configuration change to your platform as described in Apply a config change.
Starting with Astronomer v0.27, you can set up a custom OAuth authorization flow as an alternative to Astronomer’s default implicit flow. You can customize Astronomer’s existing Okta, Google, and GitHub OAuth flows or import an entirely custom OAuth flow.
To use a custom Oauth authorization code flow:
In your values.yaml file, set the astronomer.houston.config.auth.openidConnect.flow value to "code":
Configure the section of your values.yaml file specific to your identity provider with each of the following values:
enabled: Set this value to true under the section for your own identity provider.clientId and clientSecret: Your Client ID and Client secretdiscoveryURL: Your base Discovery URLauthUrlParams: Additional parameters to append to your discovery URL. At a minimum, you must configure audience. Refer to your identity provider’s documentation for information on how to find this value (Auth0 maintains this information in their glossary, for example).For example, a custom configuration of Okta might look like the following.
You can also pass your auth configurations as environment variables in the Houston section of your values.yaml file. If you choose to configure your installation this way, set the following variables in the astronomer.houston.env list instead of setting values in astronomer.auth:
For further security, you can specify the values of these environment variables as Kubernetes secrets in the astronomer.houston.secret list. See Store and encrypt identity provider secrets.
To finalize your configuration, configure the following key values in your identity provider’s settings:
https://houston.<BASE_DOMAIN>/v1/oauth/callback/. Be sure to include the trailing /.When you complete this setup, you should be able to see the differences in login flow when logging in at <BASE_DOMAIN>.astronomer.io.
If you configured a fully custom OAuth flow, you should see a new Log in with Custom Oauth button on the Astronomer login screen:
You can see the name you configured in AUTH__OPENID_CONNECT__CUSTOM__DISPLAY_NAME when authenticating using the Astro CLI.
Astronomer Software supports integration with the open standard System for Cross-Domain Identity Management (SCIM). Using the SCIM protocol with Astronomer Software allows you to automatically provision and deprovision users and Teams based on templates that define permission and accesses. It also centralizes user management so that you can configure Astronomer user permissions directly from your identity provider (IdP).
In Okta Admin dashboard, go to Applications > Applications.
Click Browse App catalog
Search for SCIM 2.0, then select the option that includes Basic Auth. The configuration page for the SCIM integration appears.
Complete the General Settings page, then click Next.
Complete the Sign-On Options page and click Done.
Return to the Applications menu and search for the integration you just created. Click the integration to open its settings.
Click Provisioning, then click Configure API integration.
Tick the Enable API integration checkbox, then configure the following values:
https://astro-software-host/v1/scim/v2/okta<your-provisioning-account-username><your-provisioning-account-password>Click General, then click Edit. Give your application a name and configure any other required general settings.
Go to Push Groups page and create a rule for Group Push. See Group Push.
On the Assignments tab, ensure that the right users and groups in your org are assigned to the app integration. See Use the Assign Users to App action.
Follow the steps in Store and encrypt identity provider secrets to store your provisioning account credentials as a Kubernetes secret. Your secret configuration should look similar to the following:
Add the following lines to your values.yaml file:
Push the configuration change. See Apply a config change.
See Add SCIM provisioning to app integrations for more information about configuring SCIM within Okta.
You can prevent your identity provider passwords, authorization tokens, and security keys from being exposed as plain text by encrypting them in Kubernetes secrets.
This setup is primarily used for encrypting the required secrets for configuring a custom OAuth flow, but can also be used to encrypt any secrets used in your Helm configuration.
Create a file named secret.yaml that contains the value you want to encrypt as a Kubernetes secret. For example, the following configuration encrypts the required client secret for configuring a custom OAuth flow for Okta.
Run the following command to apply your secret to your Astronomer cluster:
Reference your secret name, key, and the environment variable you want the key to apply towards in your values.yaml file. To configure the example secret from Step 1 as an Okta client secret, you would add the following:
Save and push your changes. See Apply a config change.