LogoLogo
StackState.comDownloadSupportExplore playground
StackState v5.1
StackState v5.1
  • Welcome to the StackState docs!
  • StackState self-hosted v5.1 docs
  • Getting Started
  • 🚀Setup
    • Install StackState
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Required Permissions
        • Non-high availability setup
        • Override default configuration
        • Configure storage
        • Configure Ingress
        • Install from custom image registry
        • Migrate from Linux install
      • Linux
        • Before you install
        • Download
        • Install StackState
        • Install with production configuration
        • Install with development configuration
        • Install with POC configuration
        • Set up a reverse proxy
        • Set up TLS without reverse proxy
      • Initial run guide
      • Troubleshooting
    • Upgrade StackState
      • Steps to upgrade
      • Version specific upgrade instructions
      • StackPack versions
      • StackState release notes
    • StackState Agent
      • About StackState Agent V3
      • Docker
      • Kubernetes / OpenShift
      • Linux
      • Windows
      • Advanced Agent configuration
      • Use an HTTP/HTTPS proxy
      • Agent V1 (legacy)
      • Migrate Agent V1 to Agent V2
        • Linux
        • Docker
    • StackState CLI
      • CLI: sts
      • CLI: stac (deprecated)
      • Comparison between CLIs
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Linux backup
        • Configuration backup
      • Data retention
      • Clear stored data
  • 👤Use
    • Concepts
      • The 4T data model
      • Components
      • Relations
      • Health state
      • Layers, Domains and Environments
      • Perspectives
      • Anomaly detection
      • StackState architecture
    • StackState UI
      • Explore mode
      • Filters
      • Views
        • About views
        • Configure the view health
        • Create and edit views
        • Visualization settings
      • Perspectives
        • Topology Perspective
        • Events Perspective
        • Traces Perspective
        • Metrics Perspective
      • Timeline and time travel
      • Analytics
      • Keyboard shortcuts
    • Checks and monitors
      • Checks
      • Add a health check
      • Anomaly health checks
      • Monitors
      • Manage monitors
    • Problem analysis
      • About problems
      • Problem lifecycle
      • Investigate a problem
      • Problem notifications
    • Metrics
      • Telemetry streams
      • Golden signals
      • Top metrics
      • Add a telemetry stream
      • Browse telemetry
      • Set telemetry stream priority
    • Events
      • About events
      • Event notifications
      • Manage event handlers
    • Glossary
  • 🧩StackPacks
    • About StackPacks
    • Add-ons
      • Autonomous Anomaly Detector
      • Health Forecast
    • Integrations
      • About integrations
      • 💠StackState Agent V2
      • 💠AWS
        • AWS
        • AWS ECS
        • AWS X-ray
        • StackState/Agent IAM role: EC2
        • StackState/Agent IAM role: EKS
        • Policies for AWS
        • AWS (legacy)
        • Migrate AWS (legacy) to AWS
      • 💠Dynatrace
      • 💠Kubernetes
      • 💠OpenShift
      • 💠OpenTelemetry
        • About instrumentations
        • AWS NodeJS Instrumentation
        • Manual Instrumentation
          • Prerequisites
          • Tracer and span mappings
          • Relations between components
          • Span health state
          • Merging components
          • Code examples
      • 💠ServiceNow
      • 💠Slack
      • 💠Splunk
        • Splunk
        • Splunk Events
        • Splunk Health
        • Splunk Metrics
        • Splunk Topology
      • 💠VMWare vSphere
      • Apache Tomcat
      • Azure
      • Cloudera
      • Custom Synchronization
      • DotNet APM
      • Elasticsearch
      • Humio
      • Java APM
      • JMX
      • Logz.io
      • MySQL
      • Nagios
      • OpenMetrics
      • PostgreSQL
      • Prometheus
      • SAP
      • SCOM
      • SolarWinds
      • Static Health
      • Static Topology
      • Traefik
      • WMI
      • Zabbix
    • Develop your own StackPacks
  • 🔧Configure
    • Topology
      • Component actions
      • Identifiers
      • Topology naming guide
      • Topology sources
      • Create a topology manually
      • Configure topology synchronizations
      • Enable email event notifications
      • Send topology data over HTTP
      • Set the topology filtering limit
      • Use a proxy for event handlers
      • Use tags
      • Tune topology synchronization
      • Debug topology synchronization
    • Telemetry
      • Add telemetry during topology synchronization
      • Data sources
        • Elasticsearch
        • Prometheus mirror
      • Send events over HTTP
      • Send metrics data over HTTP
      • Set the default telemetry interval
      • Debug telemetry synchronization
    • Traces
      • Set up traces
      • Advanced configuration for traces
    • Health
      • Health synchronization
      • Send health data over HTTP
        • Send health data
        • Repeat Snapshots JSON
        • Repeat States JSON
        • Transactional Increments JSON
      • Debug health synchronization
    • Anomaly Detection
      • Export anomaly feedback
      • Scale the AAD up and down
      • The AAD status UI
    • Security
      • Authentication
        • Authentication options
        • File based
        • LDAP
        • Open ID Connect (OIDC)
        • KeyCloak
        • Service tokens
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
        • Subjects
      • Secrets management
      • Self-signed certificates
      • Set up a security backend for Linux
      • Set up a security backend for Windows
    • Logging
      • Kubernetes logs
      • Linux logs
      • Enable logging for functions
  • 📖Develop
    • Developer guides
      • Agent checks
        • About Agent checks
        • Agent check API
        • Agent check state
        • How to develop Agent checks
        • Connect an Agent check to StackState
      • Custom functions and scripts
        • StackState functions
        • Check functions
        • Component actions
        • Event handler functions
        • ID extractor functions
        • Mapping functions
        • Monitor functions
        • Propagation functions
        • Template functions
        • View health state configuration functions
      • Custom Synchronization StackPack
        • About the Custom Synchronization StackPack
        • How to customize elements created by the Custom Synchronization StackPack
        • How to configure a custom synchronization
      • Integrate external services
      • Mirroring Telemetry
      • Monitors
        • Create monitors
        • Monitor STJ file format
      • StackPack development
        • How to create a StackPack
        • Packaging
        • How to get a template file
        • How to make a multi-instance StackPack
        • Prepare a multi-instance provisioning script
        • Upload a StackPack file
        • Prepare a shared template
        • Customize a StackPack
        • Prepare instance template files
        • Prepare a StackPack provisioning script
        • Resources in a StackPack
        • StackState Common Layer
      • Synchronizations and templated files
    • Reference
      • StackState OpenAPI docs
      • StackState Template JSON (STJ)
        • Using STJ
        • Template functions
      • StackState Markup Language (STML)
        • Using STML
        • STML Tags
      • StackState Query Language (STQL)
      • StackState Scripting Language (STSL)
        • Scripting in StackState
        • Script result: Async
        • Script result: Streaming
        • Time in scripts
        • Script APIs
          • Async - script API
          • Component - script API
          • HTTP - script API
          • Prediction - script API
          • StackPack - script API
          • Telemetry - script API
          • Time - script API
          • Topology - script API
          • UI - script API
          • View - script API
    • Tutorials
      • Create a simple StackPack
      • Push data to StackState from an external system
      • Send events to StackState from an external system
      • Set up a mirror to pull telemetry data from an external system
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Overview
  • Configure the OIDC provider
  • Configure StackState for OIDC
  • Kubernetes
  • Linux
  • Additional settings for specific OIDC providers
  • Microsoft Identity Platform
  • See also
  1. Configure
  2. Security
  3. Authentication

Open ID Connect (OIDC)

StackState Self-hosted v5.1.x

Overview

StackState can authenticate using an OIDC authentication provider. To enable this, you will need to configure both StackState and the OIDC provider to be able to talk to each other. The following sections describe the respective setups.

Configure the OIDC provider

Before you can configure StackState to authenticate using OIDC, you need to create a client for StackState on your OIDC provider. Use the following settings for the client (if needed by the OIDC provider):

  • Use the OIDCAuthoirzation Flow

  • Set the Redirect URI to the base URL of StackState suffixed with /loginCallback. For example https://stackstate.acme.com/loginCallback. For some OIDC providers, such as Google, the Redirect URI must match exactly, including any query parameters. In that case, you should configure the URI like this https://stackstate.acme.com/loginCallback?client_name=StsOidcClient.

  • Give StackState access to at least the scopes openid and email or the equivalent of these for your OIDC provider.

  • StackState needs OIDC offline access. For some identity providers, this requires an extra scope, usually called offline_access.

The result of this configuration should produce a clientId and a secret. Copy those and keep them around for configuring StackState. Also write down the discoveryUri of the provider. Usually this is either in the same screen or can be found in the documentation.

Configure StackState for OIDC

Kubernetes

To configure StackState to use an OIDC authentication provider on Kubernetes, OIDC details and user role mapping needs to be added to the file authentication.yaml. For example:

stackstate:
  authentication:
    oidc:
      clientId: "<client-id-from-oidc-provider>"
      secret: "<secret-from-oidc-provider>"
      discoveryUri: "https://oidc.acme.com/.well-known/openid-configuration"
      jwsAlgorithm: RS256
      scope: ["openid", "email"]
      jwtClaims:
        usernameField: email
        groupsField: groups
      customParameters:
        access_type: offline

    # map the groups from OIDC provider
    # to the 4 standard roles in StackState (guest, powerUser, admin and platformAdmin)
    roles:
      guest: ["oidc-guest-role-for-stackstate"]
      powerUser: ["oidc-power-user-role-for-stackstate"]
      admin: ["oidc-admin-role-for-stackstate"]
      platformAdmin: ["oidc-platform-admin-role-for-stackstate"]

Follow the steps below to configure StackState to authenticate using OIDC:

  1. In authentication.yaml - add details of the OIDC authentication provider (see the example above):

    • discoveryUri - URI that can be used to discover the OIDC provider. Normally also documented or returned when creating the client in the OIDC provider.

    • jwsAlgorithm - The default for OIDC is RS256. If your OIDC provider uses a different one, it can be set here.

    • scope - Should match, or be a subset of, the scope provided in the OIDC provider configuration. StackState uses this to request access to these parts of a user profile in the OIDC provider.

    • redirectUri - Optional (not in the example): The URI where the login callback endpoint of StackState is reachable. Populated by default using the stackstate.baseUrl, but can be overridden. This must be a fully qualified URL that points to the /loginCallback path.

    • customParameters - Optional map of key/value pairs that are sent to the OIDC provider as custom request parameters. Some OIDC providers require extra request parameters not sent by default.

    • jwtClaims -

      • usernameField - The field in the OIDC user profile that should be used as the username. By default, this will be the preferred_username, however, many providers omit this field. A good alternative is email.

      • groupsField - The field from which StackState will read the role/group for a user.

  2. Store the file authentication.yaml together with the values.yaml file from the StackState installation instructions.

  3. Run a Helm upgrade to apply the changes:

     helm upgrade \
       --install \
       --namespace stackstate \
       --values values.yaml \
       --values authentication.yaml \
     stackstate \
     stackstate/stackstate

Note:

  • The first run of the helm upgrade command will result in pods restarting, which may cause a short interruption of availability.

  • Include authentication.yaml on every helm upgrade run.

  • The authentication configuration is stored as a Kubernetes secret.

Linux

To configure StackState to use an OIDC authentication provider on Linux, OIDC details and user role mapping needs to be added to the file application_stackstate.conf. This should replace the existing authentication section that's nested in stackstate.api. For example:

authorization {
  // map the groups from the OIDC provider to the
  // 4 standard subjects in StackState (guestGroups, powerUserGroups, adminGroups and platformAdminGroups)
  // Please note! you have to use the syntax
  // `<group>Groups = ${stackstate.authorization.<group>Groups} ["oidc-role"]`
  // to extend the list of standard roles (stackstate-admin, stackstate-platform-admin, stackstate-guest, stackstate-power-user)
  // with the ones from OIDC
  guestGroups = ${stackstate.authorization.guestGroups} ["oidc-guest-role-for-stackstate"]
  powerUserGroups = ${stackstate.authorization.powerUserGroups} ["oidc-power-user-role-for-stackstate"]
  adminGroups = ${stackstate.authorization.adminGroups} ["oidc-admin-role-for-stackstate"]
  platformAdminGroups = ${stackstate.authorization.platformAdminGroups} ["oidc-platform-admin-role-for-stackstate"]
}

authentication {
  enabled  = true

  authServer {
    authServerType = [ "oidcAuthServer" ]

    oidcAuthServer {
      clientId = "<client-id-from-oidc-provider>"
      secret = "<secret-from-oidc-provider>"
      discoveryUri = "https://oidc.acme.com/.well-known/openid-configuration"
      jwsAlgorithm = RS256
      scope = ["openid", "email"]
      redirectUri = "https://stackstate.acme.com/loginCallback"
      jwtClaims {
        usernameField = email
        groupsField = groups
      }
      customParams {
        access_type = "offline"
      }
    }
  }
}

Follow the steps below to configure StackState to authenticate using OIDC:

  1. In application_stackstate.conf - add details of the OIDC authentication provider (see the example above). This should replace the existing authentication section that's nested in stackstate.api:

    • discoveryUri - URI that can be used to discover the OIDC provider. Normally also documented or returned when creating the client in the OIDC provider.

    • jwsAlgorithm - The default for OIDC is RS256. If your OIDC provider uses a different one, it can be set here.

    • scope - Should match, or be a subset of, the scope provided in the OIDC provider configuration. StackState uses this to request access to these parts of a user profile in the OIDC provider.

    • redirectUri - The URI where the login callback endpoint of StackState is reachable. This must be a fully qualified URL that points to the /loginCallback path.

    • customParams - Optional map of key/value pairs that are sent to the OIDC provider as custom request parameters. Some OIDC providers require extra request parameters not sent by default.

    • jwtClaims -

      • usernameField - The field in the OIDC user profile that should be used as the username. By default, this will be the preferred_username, however, many providers omit this field. A good alternative is email.

      • groupsField - The field from which StackState will read the role/group for a user.

  2. Restart StackState to apply the changes.

Additional settings for specific OIDC providers

This section includes additional settings needed for specific OIDC providers.

Microsoft Identity Platform

To authenticate StackState via OIDC with the Microsoft Identity Platform, the additional scope offline_access needs to be granted and requested during authentication.

In Microsoft Azure, approve the permission "Maintain access to data you have given it access to" on the consent page of the authorization code flow.

In the StackState configuration described above, add the scope offline_access, in addition to openid and email. For example:

jwsAlgorithm: RS256
      scope: ["openid", "email", "offline_access"]
      jwtClaims:
        usernameField: preferred_username
        groupsField: groups

See also

PreviousLDAPNextKeyCloak

Last updated 2 years ago

clientId - The ID of the .

secret - The secret for the

In authentication.yaml - map user roles from OIDC to the correct StackState subjects using the roles.guest, roles.powerUser, roles.admin or roles.platformAdmin settings (see the example above). For details, see the . More StackState roles can also be created, see the .

clientId - The ID of the .

secret - The secret for the

In application_stackstate.conf - map user roles from OIDC to the correct StackState subjects using the guestGroups, powerUserGroups, adminGroups or platformAdminGroups settings (see the example above). For details, see the . More StackState roles can also be created, see the .

For further details, see .

🔧
Permissions and consent in the Microsoft identity platform (learn.microsoft.com)
Authentication options
Create RBAC roles
OIDC client you created for StackState
OIDC client you created for StackState
OIDC client you created for StackState
OIDC client you created for StackState
RBAC documentation
RBAC documentation
default StackState roles
default StackState roles
Permissions for predefined StackState roles