Docs menu
MENU

How to use Auth0 as an identity provider

This guide describes how to use Auth0 as an Identity Provider (IdP) in Virtuozzo Infrastructure for accessing the admin and self-service panels.

Using an external IdP as a source of identity gives the following benefits for both administrators logging into the admin panel and end users logging into the self-service panel:

  • The ability to use a corporate IdP, such as Active Directory, Okta, or Keycloak, as a single source of users, to administer Virtuozzo Infrastructure and manage services in the self-service panel.
  • The ability to use multi-factor authentication for the admin and self-service panels.

In general, this is a much more secure way of managing services than a user-password pair.

In Virtuozzo Infrastructure, system administrators can configure user authentication to the admin and self-service panels through any external identity provider that supports the OpenID Connect protocol. For more details, refer to the Administrator Guide.

Prerequisites

1. Deploy a Virtuozzo Infrastructure cluster.

2. Create the compute cluster.

3. Create an Auth0 account. For this guide, having a basic free account will be enough.

Using Auth0 as an IdP for the self-service panel

Creating an application on Auth0

1. In the Auth0 management panel, go to Applications and click Create Application.

2. Select Single Page Apps and Vue (the SPA type does not matter).

3. Go to Settings of your created application and enter the following settings:

  • Name: Virtuozzo Infrastructure (or any other name of your choice)
  • Application Login URI: https://<your_domain_name>:8800 (assuming your Virtuozzo Infrastructure cluster has a domain name, but an IP address will also work)
  • Allow Callbacks URLs: https://<your_domain_name>:8800/api/v2/login/idp/ (assuming your Virtuozzo Infrastructure cluster has a domain name, but an IP address will also work)
  • Other settings: keep the default values

4. Click Save to apply your changes.

Preparing a test domain in Virtuozzo Infrastructure

1. Create a domain named virtuozzo for our test. In the admin panel, go to SettingsProjects and users and click Create domain.

2. Create a user group for our federated users (that is, users connected using OpenID). In the admin panel, go to SettingsProjects and usersvirtuozzo domain → Domain groups and click Create domain group. Specify the following parameters:

  • Name: Domain Admins
  • Role: Domain administrator
  • Permissions: up to you

In this case, all federated users will have the domain administrator permissions. If you prefer your federated users to be project members assigned to a specific project, you can create a new group with the project member permissions and some projects assigned to it.

Creating an IdP in Virtuozzo Infrastructure

In the admin panel, go to SettingsProjects and usersvirtuozzo domain → SettingsIdentity Provider and click Add. Specify the following parameters:

  • Name: Auth0 (or any name of your choice)

  • Issuer ID: Auth0 → ApplicationsVirtuozzo InfrastructureSettingsDomain, for example, http://dev-xxxx-xxx.us.auth0.com

  • Client ID: Auth0 → ApplicationsVirtuozzo InfrastructureSettingsClient ID

  • Client Secret: Auth0 → ApplicationsVirtuozzo InfrastructureSettingsClient Secret

  • Metadata URL: Auth0 → ApplicationsVirtuozzo InfrastructureSettingsAdvanced SettingsEndpointsOpenID Configuration

  • Scope: openid email profile (without commas)

  • Mapping:

    • Attribute: email
    • Condition: exists
    • User group: Domain Admins
    • User name: email

Add the identity provider.

Testing the connection

1. Create a test user for Auth0. In the Auth0 management panel, go to User ManagementUsers and click Create User. Specify the following parameters:

  • Email: testuser@virtuozzo.com
  • Password: <your_password>
  • Connection: Username-Password-Authentication or any other if you have more connections

2. Open the link to your self-service panel and Virtuozzo domain in a browser (incognito mode recommended), for example, https://<your_domain>:8800/login/virtuozzo/. Your should see the Auth0 authentication option:

idp sign in

3. Click Sign in with Auth0, and the Auth0 authentication window will appear. Enter the testuser credentials and you will be logged in to Virtuozzo Infrastructure self-service panel with the Domain Admins permissions.

To avoid showing the user-password authentication method on the self-service panel login screen, use the direct link to the Auth0 authentication method. In the admin panel, go to SettingsProjects and usersvirtuozzo domain → SettingsIdentity Provider and copy the self-service panel URL link.

Using Auth0 as an IdP for the admin panel

For allow users from Auth0 or Okta to log in to the admin panel, you can follow the same procedure for creating an identity provider, but use the Default domain instead. You need to select the System administrator role for the group you are going to use for federated users.

Note: OpenID supports multiple authorization flows. Auth0 supports both Authorization Code Flow and Implicit Flow, so additional configuration is not needed. However, some identity providers support only one flow. To change the flow type, refer to the Administrator Guide.

For more details on flows, refer to Authentication and Authorization Flows.

Enjoy!