Authentication
Both the Registry Dashboard and Policy Manager Dashboard support OIDC and LDAP authentication. By default, dashboards are accessible without authentication.
OIDC (Auth0, Okta, Entra ID, Keycloak)
Configure each dashboard separately through its built-in setup UI:
- Open the dashboard and navigate to Settings > Authentication
- Select OIDC and enter:
| Field | Description | Example |
|---|---|---|
| Issuer URL | Your IdP's issuer | https://yourco.auth0.com/ |
| Client ID | OAuth client ID | abc123... |
| Client Secret | OAuth client secret | secret_... |
| Redirect URI | Callback URL | https://localhost:8443/auth/callback |
| Admin Group | Group required for admin access | watchlight-admins |
- Click Test to verify connectivity, then Save
Both dashboards can share the same IdP but need separate OAuth client registrations (different redirect URIs).
Redirect URIs
| Dashboard | Redirect URI |
|---|---|
Registry (https://localhost:8443) | https://localhost:8443/auth/callback |
Policy Manager (https://localhost) | https://localhost/auth/callback |
Provider-Specific Notes
- Auth0: Create a Regular Web Application per dashboard. Add callback URLs to Allowed Callback URLs. Enable RBAC and add
groupsto the ID token. - Okta: Create Web Applications with Authorization Code flow. The
groupsclaim is available via theokta.groupsscope. - Entra ID (Azure AD): Register App Registrations with separate redirect URIs. Use
api://audience. Enable group claims in Token Configuration. - Keycloak: Create clients with Standard Flow. Map group membership to the
groupsclaim via Protocol Mappers.
LDAP
- Open the dashboard and navigate to Settings > Authentication
- Select LDAP and enter:
| Field | Description | Example |
|---|---|---|
| Server URL | LDAP server | ldap://ldap.yourco.com:389 |
| Bind DN | Service account DN | cn=svc-beacon,ou=services,dc=yourco,dc=com |
| Bind Password | Service account password | ... |
| User Search Base | Where to find users | ou=people,dc=yourco,dc=com |
| User Search Filter | Username filter | (uid={0}) |
| Group Search Base | Where to find groups | ou=groups,dc=yourco,dc=com |
| Admin Group | Required group DN or name | cn=beacon-admins,ou=groups,... |
| Use StartTLS | Encrypt connection | Recommended |
- Click Test with a real username/password, then Save
tip
For production, always enable StartTLS or use ldaps://. You can provide a custom CA certificate if your LDAP server uses a private CA.
Environment Variable Overrides
Authentication can also be configured via environment variables on the service containers:
| Variable | Service | Default | Purpose |
|---|---|---|---|
ADMIN_GROUP | wl-registry | (none) | OIDC/LDAP group required for admin |
ADMIN_GROUP_CLAIM | wl-registry | groups | JWT claim containing groups |
AUTH_REQUIRE_AUTH | wl-apdp | true | Enforce authentication |
AUTH_ALLOW_ANONYMOUS | wl-apdp | false | Allow unauthenticated access |
ADMIN_GROUP | wl-apdp | admins | Required group for admin access |