Redpanda Console supports authentication using OAuth 2.0 or OIDC for external identity providers, such as:
You can use one or more login providers at the same time. To enable SSO authentication, you must create an OAuth application for your organization first. Refer to the respective documentation page for guidance to set up your desired identity provider in Redpanda Console. Afterwards, you can configure your identity provider in Redpanda Console by providing the clientId and clientSecret in the configuration block for your provider. The configuration to add Google login support looks like this:
login: enabled: true # jwtSecret is the secret key you must use to sign and encrypt the JSON # web token used to store user sessions. This secret key is # critical for the security of Redpanda Console's authentication and # authorization system. Use a long, complex key with a combination of # numbers, letters, and special characters. While you must use a minimum of # 10 characters, Redpanda recommends using more than 32 # characters. For additional security, use a different secret key for # each environment. jwtSecret can be securely generated with the following # command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32 # # If you update this secret key, any users who are # already logged in to Redpanda Console will be logged out and will have # to log in again. jwtSecret: "" google: enabled: true clientId: redacted.apps.googleusercontent.com clientSecret: redacted # can be set with an environment variable # The directory config is optional. You have to configure it if you want to use # Google groups in your RBAC role bindings. # directory: # serviceAccountFilepath: /etc/secrets/google-sa.json # # targetPrincipal is the user that shall be impersonated # # for the Google Admin API calls. # targetPrincipal: email@example.com
By default, users don’t have any permissions in Redpanda Console, including permission to log in. After you set up authentication, continue with the authorization configuration by reading about RBAC-based authorization.