Software Factory supports several authentication backends. The Cauth component is used to enforce all authenticated HTTP access.
Single Sign On¶
Software Factory provides a unified authentication for services such as Gerrit or Storyboard. Once you are authenticated on Gerrit you are also logged in on Storyboard. Logging out from one service logs you out from other services as well.
Currently SF provides four kind of backends to authenticate:
- Oauth2 for Github, Google and Bitbucket
- OpenID (e.g. for Launchpad)
- local user database hosted in the managesf node
- LDAP backend
The admin user is hard coded and only the password can be defined. To change the admin user password, edits sfconfig.yaml:
authentication: admin_password: userpass
Software Factory allows authentication with several OAuth2-based identity providers. The following providers are currently supported:
- Google (user data will be fetched from Google+)
You have to register your SF deployment with the provider of your choice in order to enable authentication. Please refer to the provider’s documentation to do so. The OAuth2 protocol will always require a callback URL regardless of the provider. This URL is https://fqdn/auth/login/oauth2/callback
Heres is an example of setting up the GitHub authentication:
You have to complete the form, the following parameters are mandatory:
- Application name: $fqdn
- Homepage URL: https://$fqdn/auth/login
- Authorization callback URL: https://$fqdn/auth/login/oauth2/callback
During configuration, the identity provider will generate a client ID and a client secret that are needed to complete the configuration in /etc/software-factory/sfconfig.yaml.
authentication: oauth2: github: disabled: False client_id: "Client ID" client_secret: "Client Secret"
Apply the configuration by running sfconfig and open https://$fqdn/auth/login, select github, you will be redirected to a github page to authorize application, validate. Github could now be used to authenticate yours users.
The other OAuth2 providers can be set up in a similar fashion. Because of possible collisions between user names and other details, it is advised to use only one provider per deployment.
The GitHub provider also lets you filter users logging in depending on the organizations they belong to, with the field “github_allowed_organizations”. Leave blank if not necessary.
Similarly, an OpenID provider can be used for authentication. Only a single OpenID provider can be configured at a time, for example to use Launchpad:
authentication: openid: disabled: False server: https://login.launchpad.net/+openid login_button_text: "Log in with Launchpad"
OpenID Connect authentication¶
An OpenID Connect provider can be used for authentication. Likewise OAuth2, it requires an application created on the provider to provides a client_id and client_secret. The callback URL will be: https://fqdn/auth/login/openid_connect/callback .
Moreover it needs an issuer_url to retrieve the openid-configuration. Only a single OpenID Connect provider can be configured at a time.
authentication: openid_connect: disabled: False issuer_url: https://accounts.google.com/ login_button_text: "Log in with Google" client_id: client_secret:
The issuer_url can be tested using the /.well-known/openid-configuration uri path, e.g.: https://accounts.google.com/.well-known/openid-configuration
Local user management¶
For simple deployments without an Identity Provider, you can manage the users through the SFManager command-line utility (except for the default admin user, defined in the sfconfig.yaml file). See SFmanager command-line User management documentation for more details.
For example, to create a local user, run this command on the install-server:
sfmanager user create --username demo --password demo --email firstname.lastname@example.org --fullname "A local demo user"
Other authentication settings¶
Identity provider data sync¶
By default, user data such as full name or email address are synchronized upon each successful login. Users can disable this behavior in the user settings page (available from top right menu). When disabled, users can manage the email address used in Software Factory service indepently from the identity provider data.