86 lines
3.2 KiB
Plaintext
86 lines
3.2 KiB
Plaintext
---
|
|
title: Integrate with Semaphore UI
|
|
sidebar_label: Semaphore
|
|
support_level: community
|
|
---
|
|
|
|
## What is Semaphore UI
|
|
|
|
> Semaphore UI is a modern web interface for managing popular DevOps tools.
|
|
>
|
|
> -- https://semaphoreui.com/
|
|
>
|
|
> This guide explains how to configure Semaphore UI to use authentik as the OAuth provider for logging in to the Web GUI.
|
|
|
|
## Preparation
|
|
|
|
The following placeholders are used in this guide:
|
|
|
|
- `semaphore.company` is the FQDN of the Semaphore installation.
|
|
- `authentik.company` is the FQDN of the authentik installation.
|
|
|
|
:::note
|
|
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
|
|
:::
|
|
|
|
## authentik configuration
|
|
|
|
[Create](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) an OAuth2/OpenID provider and an application in authentik. Use the following parameters for the OAuth2/OpenID provider:
|
|
|
|
1. In the authentik Admin interface, navigate to **Applications** -> **Applications**.
|
|
2. Use the wizard to create a new application and provider. During this process:
|
|
- Note the **Client ID**, **Client Secret**, and **slug** values for later use.
|
|
- Select implicit or explicit authorization flow as desired.
|
|
- Set the redirect URI to <kbd>https://<em>semaphore.company</em>/api/auth/oidc/authentik/redirect/</kbd>.
|
|
- Select any available signing key.
|
|
|
|
## Semaphore UI configuration
|
|
|
|
Log in to your Semaphore UI host via SSH. Edit the `/etc/semaphore/config.json` file with the text editor of your choice.
|
|
|
|
Add the `oidc_providers` configuration:
|
|
|
|
```
|
|
{
|
|
"oidc_providers": {
|
|
"authentik": {
|
|
"display_name": "Sign in with authentik",
|
|
"provider_url": "https://authentik.company/application/o/<slug>/",
|
|
"client_id": "<client-id>",
|
|
"client_secret": "<client-secret>",
|
|
"redirect_url": "https://semaphore.company/api/auth/oidc/authentik/redirect/",
|
|
"username_claim": "username",
|
|
"name_claim": "name",
|
|
"email_claim": "email",
|
|
"scopes": ["openid", "profile", "email"]
|
|
},
|
|
...
|
|
}
|
|
```
|
|
|
|
:::info
|
|
The name of the oidc_provider (e.g. `authentik`) needs to match the name on the redirect URL.
|
|
:::
|
|
|
|
:::info
|
|
If a `Not Found` error is displayed after the login, you might need to set the web_root to `/` (see https://github.com/semaphoreui/semaphore/issues/2681):
|
|
|
|
```
|
|
SEMAPHORE_WEB_ROOT: /
|
|
```
|
|
|
|
:::
|
|
|
|
More information on this can be found in the Semaphore documentation https://docs.semaphoreui.com/administration-guide/openid/authentik/.
|
|
|
|
## Test the login
|
|
|
|
- Open a browser of your choice and open the URL <kbd>https://<em>semaphore.company</em></kbd>.
|
|
- Click on the SSO-Login button.
|
|
- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to <kbd>https://<em>semaphore.company</em></kbd> URL.
|
|
- If you are redirected back to the <kbd>https://<em>semaphore.company</em></kbd> URL you did everything correct.
|
|
|
|
:::info
|
|
Users are created upon logging in with authentik. They will not have the rights to create anything initially. These permissions must be assigned later by the local admin created during the first login to the Semaphore UI.
|
|
:::
|