Configure authentication and configure an identity provider on Astronomer Software
An auth system determines how users can log in to Astronomer Software. By default, Astronomer Software allows users to create an account and authenticate using one of the following methods:
- Google OAuth
- GitHub OAuth
- Local username/password
Integrating an external identity provider (IdP) greatly increases the security of your platform. When you integrate your IdP into Astronomer Software:
- Users no longer need to repeatedly login and remember credentials for their account.
- You have complete ownership over credential configuration and management on Astro.
- You can enforce multi-factor authentication (MFA) for users.
In addition to the default methods, Astronomer provides the option to integrate any IdP that follows the Open Id Connect (OIDC) protocol. This includes (but is not limited to):
- Microsoft Entra ID
- Okta
- IdPs managed through Auth0
- Amazon Cognito
After you integrate your IdP, you can invite users that already have an account on your IdP to Astronomer Software. For a more advanced integration, you can configure SCIM so that you can manage users directly from your IdP and import batches of users into Astronomer Software as Teams.
The following setups assume that you are using the default Astronomer implicit flow as your authorization flow. To implement a custom authorization flow, see Configure a Custom OAuth Flow.
- Microsoft Entra ID
- Okta
- Auth0
- AWS Cognito
- Local auth
- General OIDC
Step 1: Register an application using App Registrations
on Azure
-
In Microsoft Entra ID, click App registrations > New registration.
-
Complete the following sections:
- Name: Any
- Supported account types: Accounts in this organizational directory only (Astronomer only - single tenant)
- Redirect URIs:
- Web /
https://houston.BASEDOMAIN/v1/oauth/redirect/
. - Web /
https://houston.BASEDOMAIN/v1/oauth/callback/
.
- Web /
Replace
BASEDOMAIN
with your own. For example, if your base domain isexample.com
, your redirect URIs should behttps://houston.example.com/v1/oauth/redirect/
andhttps://houston.example.com/v1/oauth/callback/
. -
Click Register.
-
Click Authentication in the left menu.
-
In the Web area, confirm the redirect URI is correct.
-
In the Implicit grant and hybrid flows area, select Access tokens and ID tokens.
-
Click Save.
Step 2: (Optional) Create a client secret
Complete this setup only if you want to import Microsoft Entra ID groups to Astronomer Software as Teams.
-
In your Microsoft Entra ID application management left menu, click Certificates & secrets.
-
Click New client secret.
-
Enter a description in the Description field and then select an expiry period in the Expires list.
-
Click Add.
-
Copy the values in the Value and Secret ID columns.
-
Click API permissions in the left menu.
-
Click Microsoft Graph and add the following minimum permissions for Microsoft Graph:
email
Group.Read.All
openid
profile
User.Read
For each of these permissions, select Grant Admin Consent for Astronomer Data. Your Microsoft Graph permissions should look similar to the following image:
-
Click Token configuration in the left menu.
-
Click Add groups claim and select the following options:
- In the Select group types to include in Access, ID, and SAML tokens area, select every option.
- In Customize token properties by type area, expand ID, Access, and SAML and then select Group ID for each type.
-
Click Add.
-
Base64 encode the client secret retrieved from Microsoft with Linux or macOS terminal with the following command:
echo '<microsoft-secret-value> | base64
-
Create a Kubernetes Secret in the
astronomer
Namespace, or whichever Namespace where Houston is deployed, using the following YAML as an example:
# Required configuration for all secrets
kind: Secret
apiVersion: v1
metadata:
name: microsoft-secret
type: Opaque
# Specify a key and value for the data you want to encrypt
data:
microsoft_client_secret: "<encoded-microsoft-secret-value>"
- Apply the Kubernetes Secret with
kubectl apply -n astronomer -f <filename>.yaml
Step 3: Enable Microsoft Entra ID in your values.yaml file
Add the following values to your values.yaml
file:
astronomer:
houston:
config:
auth:
openidConnect:
flow: "code"
google:
enabled: false
microsoft:
enabled: true
clientId: <your-client-id>
discoveryUrl: https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
# Configure a secret only if you're importing Microsoft Entra ID user groups as Teams
clientSecret: <your-client-secret>
baseDomain: login.microsoftonline.com
authUrlParams:
audience: <your-client-id>
github:
enabled: false
Then, push the configuration change to your platform. See Apply a config change.
Step 1: Configure Okta
-
If you haven't already, create an Okta account.
-
In your Okta account, create a new web app for Astronomer.
-
In Okta, under General Settings > Application, set
Login redirect URIs
tohttps://houston.BASEDOMAIN/v1/oauth/redirect/
, whereBASEDOMAIN
is the domain where you're hosting your Software installation. -
Under Allowed grant types, select
Implicit (Hybrid)
. -
Save the
Client ID
generated for this Okta app for use in the next steps. -
Optional. To ensure that an Okta tile appears for Astronomer, set
Initiate Login URI
tohttps://houston.BASEDOMAIN/v1/oauth/start?provider=okta
.
Step 2: Integrate Okta with Astronomer Software
Add the following to your values.yaml
file in your astronomer
directory:
astronomer:
houston:
config:
auth:
openidConnect:
okta:
enabled: true
clientId: "<okta-client-id>"
discoveryUrl: "https://<okta-base-domain>/.well-known/openid-configuration"
Then, push the configuration change to your platform. See Apply a config change.
okta-base-domain
is different from the base domain of your Software installation. See Okta documentation for finding your domain if you are unsure what this value should be.
If you manage your identity provider through Auth0, follow these steps to configure the identity provider for Astro.
Step 1: Create an Auth0 tenant domain
Follow the Auth0 documentation to create a tenant. You can use the default domain name or your own unique tenant-name
. Your full tenant domain looks something like astronomer.auth0.com
.
Your full tenant domain may differ if you've created it outside of the United States.
Step 2: Create a connection between Auth0 and your identity management provider
Follow steps in the the Auth0 connection guide for your identity provider to create an integration between your tenant and identity provider.
Step 3: Configure Auth0 application settings
- Go to
https://manage.auth0.com/dashboard/us/<tenant-name>/applications
. - Under Applications, select Default App.
- Open the Connections tab. You should see your new connection here. Enable your new connection, and disable any connections that you won't be using.
- Open the Settings tab.
- Under Allowed Callback URLs, add
https://houston.<your-astronomer-base-domain>/v1/oauth/redirect/
. - Under Allowed Logout URLs, add
https://app.<your-astronomer-base-domain>/logout
. - Under Allowed Origins (CORS), add
https://*.<your-astronomer-base-domain>
. - Go to
https://manage.auth0.com/dashboard/us/<tenant-name>/apis
. - Click
+ Create API
. - Under Name, enter
astronomer-ee
. - Under Identifier, enter
astronomer-ee
. - Leave the value under Signing Algorithm as
RS256
.
Step 4: Enable Auth0 in your values.yaml file
Add the following to your values.yaml
file in your astronomer
directory:
astronomer:
houston:
config:
auth:
openidConnect:
auth0:
enabled: true
clientId: "<default-app-client-id>"
discoveryUrl: https://<tenant-name>.auth0.com
Then, push the configuration change to your platform as described in Apply a config change.
You can find your clientID
value at https://manage.auth0.com/dashboard/us/<tenant-name>/applications
listed next to 'Default App'.
Step 1: Create a user pool in Cognito
Start by creating a user pool in Cognito. You can either review the default settings or step through them to customize.
Make sure that you create an App client
, which is the OpenID client configuration that Astronomer uses to authenticate against. You do not need to generate a client secret, as Astronomer is a public client that uses implicit flow.
After Auth0 creates the pool and app client, open App integration
>App client settings
and configure the following settings:
- Select an identity provider to use (either the built-in cognito user pool or a federated identity provider).
- Set the callback URL parameter to
https://houston.BASEDOMAIN/v1/oauth/redirect/
. - Enable
Implicit grant
inAllowed OAuth Flows
. Leave the other settings disabled. - Enable
email
,openid
, andprofile
inAllowed OAuth Scopes
.
Then, switch to the Domain name tab and select a unique domain name to use for your hosted Cognito components.
Step 2: Edit your Astronomer configuration
Add the following values to your values.yaml
file in the astronomer/
directory:
astronomer:
houston:
config:
auth:
openidConnect:
cognito:
enabled: true
clientId: <client_id>
discoveryUrl: https://cognito-idp.<AWS-REGION>.amazonaws.com/<COGNITO-POOL-ID>/.well-known/openid-configuration
authUrlParams:
response_type: token
Your Cognito pool ID can be found in the General settings
tab of the Cognito portal. Your client ID is found in the App clients
tab.
After you save your values.yaml
file with these values, push it to your platform. See Apply a config change.
To let users authenticate to Astronomer with a local username and password, follow the steps below.
-
Enable
local auth
in yourvalues.yaml
file:astronomer:
houston:
config:
auth:
local:
enabled: true -
Push the configuration change to your platform. See Apply a config change.
Astronomer supports a generic OIDC configuration to accommodate all OIDC-compliant providers. If there are no specific setup instructions for your OIDC provider in this document, you can add the following configuration to your values.yaml
file.
For example:
astronomer:
houston:
config:
auth:
openidConnect:
clockTolerance: 0 # A field that can optionally be set to adjust for clock skew on the server.
<provider-name>:
enabled: true
discoveryUrl: <provider-discovery-url> # Note this must be a URL that with an https:// prefix
clientId: <provider-client-id>
authUrlParams: # Additional required params set on case-by-case basis
Then, push the configuration change to your platform. See Apply a config change.
Running behind an HTTPS proxy
Integrating an external identity provider with Astronomer requires that the platform's Houston API component is able to make outbound HTTPS requests to those identity providers in order to fetch discovery documents, sign keys, and ask for user profile information upon login/signup.
If your install is configured without a direct connection to the internet you will need to configure an HTTPS proxy server for Houston.
Configure an HTTPS proxy server for Houston
To configure the proxy server used we need to set the GLOBAL_AGENT_HTTPS_PROXY
Environment Variable for the Houston deployment.
To do so, add the following to the Houston section of the values.yaml
file in your astronomer
directory:
astronomer:
houston:
config:
auth:
openidConnect:
<provider>:
enabled: true
clientId: ...
discoveryUrl: ...
env:
- name: GLOBAL_AGENT_HTTPS_PROXY
value: http://my-proxy:3129
Then, push the configuration change to your platform as described in Apply a config change.
Configure a custom OAuth flow
Starting with Astronomer v0.27, you can set up a custom OAuth authorization flow as an alternative to Astronomer's default implicit flow. You can customize Astronomer's existing Okta, Google, and GitHub OAuth flows or import an entirely custom OAuth flow.
This setup must be completed only during a scheduled maintenance window. There should be no active users on your installation until the setup has been finalized.
Step 1: Configure your authorization flow on Astronomer
To use a custom Oauth authorization code flow:
-
In your
values.yaml
file, set theastronomer.houston.config.auth.openidConnect.flow
value to"code"
:astronomer:
houston:
config:
auth:
# Local database (user/pass) configuration.
local:
enabled: true
openidConnect:
# Valid values are "code" and "implicit"
flow: "code" -
Configure the section of your
values.yaml
file specific to your identity provider with each of the following values:enabled
: Set this value totrue
under the section for your own identity provider.clientId
andclientSecret
: Your Client ID and Client secretdiscoveryURL
: Your base Discovery URLauthUrlParams
: Additional parameters to append to your discovery URL. At a minimum, you must configureaudience
. Refer to your identity provider's documentation for information on how to find this value (Auth0 maintains this information in their glossary, for example).
For example, a custom configuration of Okta might look like the following.
astronomer:
houston:
config:
auth:
okta:
enabled: true
clientId: ffhsdf78f734h2fsd
clientSecret: FSDFSLDFJELLGJLSDFGJL42353425
discoveryUrl: "https://<your-idp-url>.okta.com/oauth2/default/.well-known/openid-configuration"
authUrlParams:
audience: "GYHWEYHTHR443fFEW"- Push your configuration changes to your platform as described in Apply a config change.
You can also pass your auth configurations as environment variables in the Houston section of your values.yaml
file. If you choose to configure your installation this way, set the following variables in the astronomer.houston.env
list instead of setting values in astronomer.auth
:
# Replace <idp-provider> with OKTA, AUTH0, or CUSTOM
AUTH__OPENID_CONNECT__<idp-provider>__ENABLED="true"
AUTH__OPENID_CONNECT__<idp-provider>__CLIENT_ID="<client-id>"
AUTH__OPENID_CONNECT__<idp-provider>__CLIENT_SECRET="<client-secret>"
AUTH__OPENID_CONNECT__<idp-provider>__DISCOVERY_URL="<discovery-url>
AUTH__OPENID_CONNECT__<idp-provider>__AUTH_URL_PARAMS__AUDIENCE="<audience>"
AUTH__OPENID_CONNECT__FLOW="implicit" # or "code"
AUTH__OPENID_CONNECT__<idp-provider>__BASE_DOMAIN="<base-domain>"
AUTH__OPENID_CONNECT__CUSTOM__DISPLAY_NAME="Custom OAuth" # Only used for custom flows
For further security, you can specify the values of these environment variables as Kubernetes secrets in the astronomer.houston.secret
list. See Store and encrypt identity provider secrets.
Step 2: Configure your identity provider
To finalize your configuration, configure the following key values in your identity provider's settings:
- Grant Code: Set to "Code" or "Auth Code" depending on your identity provider.
- Sign-in Redirect URI: Set to
https://houston.<BASE_DOMAIN>/v1/oauth/callback/
. Be sure to include the trailing/
.
Step 3: Confirm your installation
When you complete this setup, you should be able to see the differences in login flow when logging in at <BASE_DOMAIN>.astronomer.io
.
If you configured a fully custom OAuth flow, you should see a new Log in with Custom Oauth button on the Astronomer login screen:
You can see the name you configured in AUTH__OPENID_CONNECT__CUSTOM__DISPLAY_NAME
when authenticating using the Astro CLI.
Manage users and Teams with SCIM
Astronomer Software supports integration with the open standard System for Cross-Domain Identity Management (SCIM). Using the SCIM protocol with Astronomer Software allows you to automatically provision and deprovision users and Teams based on templates that define permission and accesses. It also centralizes user management so that you can configure Astronomer user permissions directly from your identity provider (IdP).
SCIM works because the IdP pushes updates about users and teams to Astronomer Software. This means your Astronomer Software platform must be connected to the internet and exposed on port 443 to receive those updates. If you run Astronomer Software without exposing it to the internet, there might be solutions with Microsoft Entra ID and Okta for routing SCIM traffic, depending on your combination of cloud provider and IdP. Contact Astronomer support for more information.
- Microsoft Entra ID
- Okta
-
In Okta Admin dashboard, go to Applications > Applications.
-
Click Browse App catalog
-
Search for
SCIM 2.0
, then select the option that includes Basic Auth. The configuration page for the SCIM integration appears. -
Complete the General Settings page, then click Next.
-
Complete the Sign-On Options page and click Done.
-
Return to the Applications menu and search for the integration you just created. Click the integration to open its settings.
-
Click Provisioning, then click Configure API integration.
-
Tick the Enable API integration checkbox, then configure the following values:
- SCIM connector base URL:
https://astro-software-host/v1/scim/v2/okta
- Authentication mode: Basic Auth
- Username:
<your-provisioning-account-username>
- Password:
<your-provisioning-account-password>
- Username:
- SCIM connector base URL:
-
Click General, then click Edit. Give your application a name and configure any other required general settings.
-
Go to Push Groups page and create a rule for Group Push. See Group Push.
-
On the Assignments tab, ensure that the right users and groups in your org are assigned to the app integration. See Use the Assign Users to App action.
-
Follow the steps in Store and encrypt identity provider secrets to store your provisioning account credentials as a Kubernetes secret. Make sure to Base64 encode the credentials, as it is a requirement for Kubernetes secrets. This can be done using the Linux or macOS terminal with
echo '<your-provisioning-account-username>:<your-provisioning-account-password> | base64
. Your secret configuration should look similar to the following:# Required configuration for all secrets
kind: Secret
apiVersion: v1
metadata:
name: okta-provisioning-secret
type: Opaque
# Specify a key and value for the data you want to encrypt
data:
okta_provisioning_account_secret: "<encoded-okta-secret-value>" -
Add the following lines to your
values.yaml
file:astronomer:
houston:
secret:
- envName: "SCIM_AUTH_CODE_OKTA"
secretName: "okta-provisioning-secret"
secretKey: "okta_provisioning_account_secret" -
Push the configuration change. See Apply a config change.
See Add SCIM provisioning to app integrations for more information about configuring SCIM within Okta.
-
Generate a random string to use as an authentication secret. See random.org for accessible randomization tools.
-
Follow the steps in Store and encrypt identity provider secrets to store your string as a Kubernetes secret. Your secret configuration should look similar to the following:
# Required configuration for all secrets
kind: Secret
apiVersion: v1
metadata:
name: azure-provisioning-secret
type: Opaque
# Specify a key and value for the data you want to encrypt
data:
azure_provisioning_secret: "<your-generated-string>" -
In your
values.yaml
file, add the following configuration:astronomer:
houston:
secret:
- envName: "SCIM_AUTH_CODE_MICROSOFT"
secretName: "azure-provisioning-secret"
secretKey: "azure_provisioning_secret" -
Push the configuration change. See Apply a config change.
-
Log in to the Microsoft Entra ID portal.
-
In the left menu, select Enterprise applications, then click New application > Create your own application.
-
Enter a name for your application and select Integrate any other application you don't find in the gallery.
-
Click Create to create an app object. Microsoft Entra ID opens the application management menu for your new application.
-
In the application management menu for your new application, go to Manage > Provisioning and click Get Started.
-
Click Provisioning Mode > Automatic.
-
In the Tenant URL field, enter
https://BASEDOMAIN/v1/scim/v2/microsoft
. This is the Astronomer SCIM endpoint URL. -
Paste the
scimAuthCode
that you generated in Step 1 into the Secret Token field. -
Click Test connection in the Microsoft Entra ID application management menu to confirm your connection to the SCIM endpoint.
-
Create mappings for your Astronomer users and roles. See Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID.
-
Click Manage > Provisioning > Settings.
-
In the Scope setting list, select Sync only assigned users and groups.
-
Click the Provisioning status toggle to turn provisioning status on.
-
Click Save.
Store and encrypt identity provider secrets
You can prevent your identity provider passwords, authorization tokens, and security keys from being exposed as plain text by encrypting them in Kubernetes secrets.
This setup is primarily used for encrypting the required secrets for configuring a custom OAuth flow, but can also be used to encrypt any secrets used in your Helm configuration.
-
Create a file named
secret.yaml
that contains the value you want to encrypt as a Kubernetes secret. For example, the following configuration encrypts the required client secret for configuring a custom OAuth flow for Okta.# Required configuration for all secrets
kind: Secret
apiVersion: v1
metadata:
name: okta-secret
type: Opaque
# Specify a key and value for the data you want to encrypt
data:
okta_client_secret: "<okta-secret-value>" -
Run the following command to apply your secret to your Astronomer cluster:
kubectl apply -f ./secret.yaml
-
Reference your secret name, key, and the environment variable you want the key to apply towards in your
values.yaml
file. To configure the example secret from Step 1 as an Okta client secret, you would add the following:astronomer:
houston:
secret:
- envName: "AUTH__OPENID_CONNECT__OKTA__CLIENT_SECRET"
secretName: "okta-secret"
secretKey: "okta_client_secret" -
Save and push your changes. See Apply a config change.