Skip to main content

Identity Providers Guide

In Morio, all HTTP-based authentication is backed by Identity Providers (IDPs), a modular way to configure authentication backends for your Morio deployment.

Morio supports the following types of identity providers:

Morio Root Token

The Morio Root Token identity provider (mrt) allows authentication with the Morio Root Token.

Purpose

  • The mrt identity provider is intended to be used as the very first Morio login before other identity providers are set up.
  • The mrt identity provider also serves as a sort of break glass fallback that can be used when other identity providers are unavailable.

Restrictions

  • The mrt identity provider requires the Morio Root Token to authenticate, which is created at the initial setup of Morio, and only shown at that time.
  • The mrt identity provider only takes the Morio Root Token as input — there is no username.
  • You can only have 1 instance of the mrt identity provider.

Provider-specific functionality

  • This is the only identity provider that can grant the root role.

Roles

  • The mrt identity provider grants you the root role, the highest role in a Morio system.
  • The mrt identity provider supports dropping privileges by requesting any role lower than root.

Configuration

  • The mrt identity provider is built-in and does not require configuration.
  • The mrt identity provider can be disabled with the DISABLE_IDP_MRT feature flag.
  • The mrt identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
providers:
mrt:
# A label is optional
# Defaults to the ID of the identity provider (mrt)
mrt: Morio Root Token
ui:
visibility:
# Use 'icon' to hide the identity provider
# behind a lock icon on the login page
mrt: icon
order:
mrt: 10

Morio API Keys

The Morio API Keys identity provider allows authentication with a Morio API Key and its matching secret.

Purpose

  • The apikey identity provider is intended for automated access, scripts, CI/CD pipelines, cron jobs, and so on.
  • The apikey identity provider is not intended for human operators, although it is commonly used by developers when working on Morio API integration.

Restrictions

  • The apikey identity provider does not allow choosing the API Key (username) or Secret (password).
  • The apikey identity provider does not support dropping privileges by assuming a different role — only the role assigned to the API Key can be used.
  • You can only have 1 instance of the apikeyidentity provider, and its ID must always be apikey.

Provider-specific functionality

Roles

  • The apikey identity provider allows for any role up to engineer. The root role cannot be assigned to an API Key.
  • The apikey identity provider does not allow creating an API Key with a role higher than one’s own.

Configuration

  • The apikey identity provider is built-in and does not require configuration.
  • The apikey identity provider can be disabled with the DISABLE_IDP_APIKEY feature flag.
  • The apikey identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
providers:
apikey:
# A label is optional
# Defaults to the ID of the identity provider (mrt)
label: API Key
ui:
visibility:
# Use 'icon' to hide the identity provider
# behind a lock icon on the login page
apikey: icon
order:
apikey: 20

Morio Accounts

The Morio Accounts identity provider allows authentication with the username, password, and TOTP token of a Local Morio User Account.

Purpose

  • The local identity provider is intended for access by humans.
  • The local identity provider is most suitable for smaller setups where no centralised identity provider — such as OpenID Connect or LDAP — is available, or as a backup when external identity providers are down.

Restrictions

  • The local identity provider requires Multi-Factor Authentication (MFA). This is mandatory and cannot be disabled.
  • You can only have 1 instance of the local identity provider, and its ID must always be local.

Provider-specific functionality

  • The local identity provider allows any user with the role manager or higher to create local Morio accounts.
  • The local identity provider generates an invite code and URL to be shared with users, facilitating onboarding.
  • The local identity provider will provide scratch codes to the user that can be used when their device used to generate the TOTP token is unavailable.
  • The Morio Management API provides various endpoints to handle Local Morio Accounts.

Roles

  • The local identity provider allows for any role up to engineer. The root role cannot be assigned to a Local Morio Account.
  • The local identity provider does not allow creating a local Morio account with a role higher than one’s own.

Configuration

  • The local identity provider is built-in and does not require configuration.
  • The local identity provider can be disabled with the DISABLE_IDP_LOCAL feature flag.
  • The local identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
providers:
local:
# A label is optional
# Defaults to the ID of the identity provider (local)
label: Morio Account
ui:
visibility:
# Use 'tab' to show the identity provider
# as a tab on the login page
local: tabs
order:
local: 3

LDAP

The LDAP identity provider allows authentication against an LDAP backend.

Purpose

  • The ldap identity provider is intended for organisations that have pre-existing user identities available in an LDAP server or a system compatible with LDAP, such as Microsoft Active Directory.
  • The ldap identity provider is most suitable for environments where users already have an account on a different system that they also want to use to access Morio.

Restrictions

  • None.

Provider-specific functionality

  • The ldap identity provider allows configuring the assignment of Morio roles based on any field of the LDAP user object.
  • The ldap identity provider supports more than 1 instance of this provider, thus allowing you to use different LDAP backends simultaneously.

Roles

  • The ldap identity provider allows for any role up to engineer. The root role cannot be assigned to a user backed by the ldap identity provider.

Configuration

  • The ldap identity provider needs to be configured before it can be used.
  • The ldap identity provider can be disabled with the DISABLE_IDP_LDAP feature flag.
  • The ldap identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
providers:
ad: # You can choose the ID of the ldap provider instance
provider: ldap # You cannot choose this, it must always be `ldap`
label: Active Directory
about: This is your Active Directory account, the same you use to login to your computer.
server:
url: "ldaps://dc1.tokyo.morio.it
bindDN: "CN=morio-ldap,OU=Users,DC=tokyo,DC=morio,DC=it",
bindCredentials: "{{{ AD_PASSWORD }}}",
searchBase: "OU=Users-EU,DC=tokyo,DC=morio,DC=it",
searchFilter: "(&(objectClass=user)(samaccountname={{username}}))"
username_field: samaccountname
rbac:
user:
attribute: samaccountname
regex: .
engineer:
attribute: samaccountname
list:
- mario
- luigi
ui:
visibility:
# Use 'tab' to show the identity provider
# as a tab on the login page
ad: tab
order:
ad: 2
secrets:
AD_PASSWORD: "Your secret here"

OpenID Connect

The OpenID Connect identity provider allows authentication against an OpenID Connect (oidc) provider.

Purpose

  • The oidc identity provider is intended for organisations that have pre-existing user identities available in a system that supports OpenID Connect.
  • The oidc identity provider is most suitable for environments where users already have an account on a different system that they also want to use to access Morio.

Restrictions

  • None.

Provider-specific functionality

  • The oidc identity provider allows configuring the assignment of Morio roles based on any user property provided by the OpenID provider.
  • The oidc identity provider supports more than 1 instance of this provider, thus allowing you to use different OpenID providers simultaneously.

Roles

  • The oidc identity provider allows for any role up to engineer. The root role cannot be assigned to a user backed by the oidc identity provider.

Configuration

  • The oidc identity provider needs to be configured before it can be used.
  • The oidc identity provider can be disabled with the DISABLE_IDP_OIDC feature flag.
  • The oidc identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
providers:
gitlab: # You can choose the ID of the oidc provider instance
provider: oidc # You cannot choose this, it must always be `oidc`
label: GitLab
about: Use your GitLab account to sign in to Morio
issuer: https://git.morio.it
client_id: 9f8afda548c112e70323ff60ff3d080b3216c691a05e69ca8b08e146085adf27
client_secret: "{{{ GITLAB_OIDC_SECRET }}}"
username_field: email
rbac:
user:
attribute: email
regex: .
engineer:
attribute: email
list:
- mario@morio.it
- luigi@morio.it
ui:
visibility:
# Use 'tab' to show the identity provider
# as a tab on the login page
gitlab: tab
order:
gitlab: 1
secrets:
GITLAB_OIDC_SECRET: "Your GitLab secret here"