This feature requires an Enterprise license. To upgrade, contact Redpanda sales.

Redpanda Console supports authentication via OAuth 2.0 or OIDC for external identity providers, such as:

You can use one or more login providers at the same time. To enable SSO authentication you must create an OAuth application for your organization first. Visit the respective documentation page for guidance to setup your desired identity provider in Console. Afterwards you can configure your identity provider in Redpanda Console by providing the clientId and clientSecret in the configuration block for your provider. The configuration to add Google login support looks like this:

  enabled: true

  # jwtSecret is the secret key you must use to sign and encrypt the JSON
  # web token used to store user sessions. This secret key is
  # critical for the security of Redpanda Console's authentication and
  # authorization system. Use a long, complex key with a combination of
  # numbers, letters, and special characters. While you must use a minimum of
  # 10 characters, Redpanda recommends using more than 32
  # characters. For additional security, use a different secret key for
  # each environment. jwtSecret can be securely generated with the following
  # command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32
  # If you update this secret key, any users who are
  # already logged into Redpanda Console will be logged out and will have
  # to log in again.
  jwtSecret: ""

    enabled: true
    clientSecret: redacted # can be set via environment variable
    # The directory config is optional. You have to configure it if you want to use
    # Google groups in your RBAC role bindings.
    # directory:
    #  serviceAccountFilepath: /etc/secrets/google-sa.json
    #  # targetPrincipal is the user that shall be impersonated
    #  # for the Google Admin API calls.
    #  targetPrincipal:

By default, users don’t have any permissions in Redpanda Console. This also includes permission to login at all. Thus authentication and authorization must always be used together. Continue with the authorization configuration by reading the RBAC-based authorization concept.