Overview

Secure kPow with User Authentication

kPow supports the following mechanisms for authenticating users.

Note: When running kPow with a reverse-proxy for HTTPS termination (rather than HTTPS Connections) care must be taken the the scheme of configured authentication URI.

Jetty Authentication

kPow is built on the Eclipse Jetty Web Server.

See: The Jetty JAAS Documentation for a full description of authentication options.

Jetty provides a number of JAAS (Java Authentication and Authorization) integrations including:

  • PropertyFileLoginModule: user credentials are stored in a property file.

  • LdapLoginModule: user credentials are stored in LDAP.

  • JDBCLoginModule: user credentials are stored in a DB accessed via JDBC.

  • DataSourceLoginModule: similar to JDBC but uses a JNDI Datasource to connect to the DB.

kPow supports all of these Jetty JAAS integrations. Details of each are in this guide.

SAML Authentication

kPow is easily configured to be a Service Provider and integrates with any SAML Identity Provider, we include specific guides for Azure AD, Okta and AWS SSO in this guide.

OpenID and OAuth 2.0 Authentication

kPow supports integration with Okta (OpenID) and Github (OAuth 2.0) SSO providers.

Need a Provider Added? Just email [email protected] and we'll estimate delivery.

kPow and User Authentication

With authentication configured kPow requires all users to authenticate prior to accessing the UI.

Note: Access to Prometheus endpoints remains unauthenticated.

When Jetty Authentication is configured users will be prompted with form-based or basic login prompts.

Regardless of the mechanism used for authentication, all users can view their profile information.