Skip to content

How to connect to a custom OAuth2 / OpenID Connect IdP

This guide explains how to configure TeskaLabs LogMan.io to use OAuth2 or OpenID Connect (OIDC) based Single Sign-On (SSO) with a custom identity provider (IdP).

Prerequisites

Before you begin, ensure you have:

  • Access to your identity provider's administration console
  • Your LogMan.io public domain name (e.g., https://your-logman-domain.com)
  • The ability to register a new OAuth2/OIDC application at your IdP

Configure LogMan.io in your Identity Provider

Register a new OAuth2/OIDC Application

The exact steps vary by identity provider, but generally you need to:

  1. Log in to your identity provider's administration console
  2. Navigate to the OAuth2/OIDC applications or client registration section
  3. Create a new application/client registration
  4. Select the application type (typically "Web Application")

Configure Redirect URIs

When registering your application, you must specify the authorized redirect URIs. Add the following URI (replace your-logman-domain.com with your actual public LogMan.io domain):

https://your-logman-domain.com/auth/api/seacat-auth/public/ext-login/callback

Some identity providers only require a base path. In that case, use:

https://your-logman-domain.com/auth/api/seacat-auth/public/

Gather IdP Configuration Details

After registering the application, collect the following information from your identity provider:

  • Client ID: The unique identifier for your application
  • Client Secret: The secret key for your application (keep this secure)
  • Issuer URL: The issuer identifier URL (e.g., https://auth.provider.com)
  • JWKS URI: The JSON Web Key Set endpoint (e.g., https://auth.provider.com/.well-known/jwks.json)
  • Authorization Endpoint: The OAuth2 authorization endpoint URL
  • Token Endpoint: The OAuth2 token endpoint URL

SeaCat Auth Configuration

To enable OAuth2/OIDC authentication in TeskaLabs LogMan.io, you need to configure the LogMan.io authorization service TeskaLabs SeaCat Auth in the model.

/Site/model.yaml
services:
  seacat-auth:
    ...

    # Add the following configuration
    asab:
      config:
        seacatauth:oauth2:myprovider:  # (1)
          client_id: your-client-id-here  # (2)
          client_secret: your-client-secret-here  # (3)
          issuer: https://auth.provider.com  # (4)
          authorization_endpoint: https://auth.provider.com/oauth/authorize  # (5)
          token_endpoint: https://auth.provider.com/oauth/token  # (6)
          jwks_uri: https://auth.provider.com/.well-known/jwks.json  # (7)
          scope: openid email profile  # (8)
          label: My Identity Provider  # (9)
  1. OAuth2 login provider identifier. The format is seacatauth:oauth2:<provider_name> where <provider_name> is a unique identifier for your provider.
  2. Required. The Client ID obtained from your identity provider.
  3. Required. The Client Secret obtained from your identity provider.
  4. Required. The issuer URL of your identity provider.
  5. Required. The authorization endpoint URL of your identity provider.
  6. Required. The token endpoint URL of your identity provider.
  7. Required. The JWKS (JSON Web Key Set) endpoint URL for validating ID tokens.
  8. Required. The OAuth2 scopes to request. At minimum, include openid and email. Common additional scopes include profile for user profile information.
  9. The label displayed on the login button. Customize this to match your organization's identity provider name.

Save the changes and apply them using the Apply button in the /Site folder of the Library or via command line on the host server:

./gov.sh up

Enabling Automatic User Provisioning

Register and Pair Unknown Users at Login

By default, users must manually link their external identity to their LogMan.io account in Account Settings. However, you can enable automatic user provisioning and pairing:

/Site/model.yaml
services:
  seacat-auth:
    ...
    asab:
      config:
        seacatauth:oauth2:myprovider:
          ...
          register_unknown_at_login: true  # (1)
          pair_unknown_at_login: true      # (2)
          tenant: mycompany               # (3)
  1. register_unknown_at_login: Automatically register users who do not exist in LogMan.io when they first log in via OAuth2/OIDC.
  2. pair_unknown_at_login: Automatically pair OAuth2/OIDC users with existing LogMan.io accounts upon first login by matching their email address (case-sensitive).
  3. tenant: Assign new users to this tenant (organization) upon registration or pairing.

After making these changes, apply them using the Apply button in the /Site folder of the Library, or by running the following command on the host server:

./gov.sh up

Testing the Integration

After configuration is complete:

  1. Navigate to your LogMan.io login page
  2. You should see a new login button with the label you configured (e.g., "My Identity Provider")
  3. Click the button to initiate the OAuth2/OIDC login flow
  4. You will be redirected to your identity provider's login page
  5. After successful authentication, you will be redirected back to LogMan.io

Security Considerations

  • Always use HTTPS for production deployments
  • Keep your client_secret secure and never commit it to version control
  • Use the assume_email_is_verified option with caution; only enable it if your identity provider guarantees email verification
  • Regularly rotate your client credentials according to your organization's security policies