Authentication

Software Factory supports several authentication backends. The Cauth component is used to enforce all authenticated HTTP access.

Single Sign On

Software Factory provides a unified authentication for services such as Gerrit or Storyboard. Once you are authenticated on Gerrit you are also logged in on Storyboard. Logging out from one service logs you out from other services as well.

Currently SF provides four kind of backends to authenticate:

  • Oauth2 for Github, Google and Bitbucket
  • OpenID (e.g. for Launchpad)
  • local user database hosted in the managesf node
  • LDAP backend
../_images/login.jpg

Admin user

The admin user is hard coded and only the password can be defined. To change the admin user password, edits sfconfig.yaml:

authentication:
  admin_password: userpass

OAuth2-based authentication

Software Factory allows authentication with several OAuth2-based identity providers. The following providers are currently supported:

  • GitHub
  • Google (user data will be fetched from Google+)
  • BitBucket

You have to register your SF deployment with the provider of your choice in order to enable authentication. Please refer to the provider’s documentation to do so. The OAuth2 protocol will always require a callback URL regardless of the provider. This URL is https://fqdn/auth/login/oauth2/callback

Heres is an example of setting up the GitHub authentication:

Log on https://github.com and open https://github.com/settings/developers and select “register a new application”

You have to complete the form, the following parameters are mandatory:

During configuration, the identity provider will generate a client ID and a client secret that are needed to complete the configuration in /etc/software-factory/sfconfig.yaml.

authentication:
  oauth2:
    github:
      disabled: False
      client_id: "Client ID"
      client_secret: "Client Secret"

Apply the configuration by running sfconfig and open https://$fqdn/auth/login, select github, you will be redirected to a github page to authorize application, validate. Github could now be used to authenticate yours users.

The other OAuth2 providers can be set up in a similar fashion. Because of possible collisions between user names and other details, it is advised to use only one provider per deployment.

The GitHub provider also lets you filter users logging in depending on the organizations they belong to, with the field “github_allowed_organizations”. Leave blank if not necessary.

OpenID authentication

Similarly, an OpenID provider can be used for authentication. Only a single OpenID provider can be configured at a time, for example to use Launchpad:

authentication:
  openid:
    disabled: False
    server: https://login.launchpad.net/+openid
    login_button_text: "Log in with Launchpad"

OpenID Connect authentication

An OpenID Connect provider can be used for authentication. Likewise OAuth2, it requires an application created on the provider to provides a client_id and client_secret. The callback URL will be: https://fqdn/auth/login/openid_connect/callback .

Moreover it needs an issuer_url to retrieve the openid-configuration. Only a single OpenID Connect provider can be configured at a time.

authentication:
  openid_connect:
      disabled: False
      issuer_url: https://accounts.google.com/
      login_button_text: "Log in with Google"
      client_id:
      client_secret:

The issuer_url can be tested using the /.well-known/openid-configuration uri path, e.g.: https://accounts.google.com/.well-known/openid-configuration

Local user management

For simple deployments without an Identity Provider, you can manage the users through the SFManager command-line utility (except for the default admin user, defined in the sfconfig.yaml file). See SFmanager command-line User management documentation for more details.

For example, to create a local user, run this command on the install-server:

sfmanager user create --username demo --password demo
    --email demo@sftests.com --fullname "A local demo user"

Other authentication settings

Identity provider data sync

By default, user data such as full name or email address are synchronized upon each successful login. Users can disable this behavior in the user settings page (available from top right menu). When disabled, users can manage the email address used in Software Factory service indepently from the identity provider data.