Overview
Secure kPow with User Authentication
kPow supports Jetty (File, LDAP, DB, etc), SAML, and OpenID mechanisms for authenticating users.

Jetty Authentication

kPow is built on the Eclipse Jetty Web Server.
See: The Jetty JAAS Documentation for a full description of authentication options.
See: The Application Logs guide to enable Jetty JAAS Debug Logging.
Set HTTP_FORWARDED=true when running kPow behind a proxy with Jetty Authentication
Jetty provides a number of JAAS (Java Authentication and Authorization) integrations including:
    PropertyFileLoginModule: user credentials are stored in a property file.
    LdapLoginModule: user credentials are stored in LDAP.
    JDBCLoginModule: user credentials are stored in a DB accessed via JDBC.
    DataSourceLoginModule: similar to JDBC but uses a JNDI Datasource to connect to the DB.
kPow supports all of these Jetty JAAS integrations. Details of each are in this guide.

SAML Authentication

kPow is easily configured to be a Service Provider and integrates with any SAML Identity Provider, we include specific guides for Azure AD, Okta and AWS SSO in this guide.
Note: When running kPow with a reverse-proxy for HTTPS termination (rather than HTTPS Connections) care must be taken with the scheme of configured authentication URI.

OpenID and OAuth 2.0 Authentication

kPow supports integration with Okta (OpenID) and Github (OAuth 2.0) SSO providers.
Need a Provider Added? Just email [email protected] and we'll estimate delivery.

kPow and User Authentication

With authentication configured kPow requires all users to authenticate prior to accessing the UI.
Note: Access to Prometheus endpoints remains unauthenticated.
When Jetty Authentication is configured users will be prompted with form-based or basic login prompts.
Regardless of the mechanism used for authentication, all users can view their profile information.
Last modified 5mo ago