Skip to main content

Identity Providers Guide

In Morio, all HTTP-based authentication is backed by Identity Providers (IDPs), a modular way to configure authentication backends for your Morio deployment.

Morio supports the following types of identity providers:

Morio Root Token

The Morio Root Token identity provider (mrt) allows authentication with the Morio Root Token.

Purpose

  • The mrt identity provider is intended to be used as the very first Morio login before other identity providers are set up.
  • The mrt identity provider also serves as a sort of break glass fallback that can be used when other identity providers are unavailable.

Restrictions

  • The mrt identity provider requires the Morio Root Token to authenticate, which is created at the initial setup of Morio, and only shown at that time.
  • The mrt identity provider only takes the Morio Root Token as input — there is no username.
  • You can only have 1 instance of the mrt identity provider.

Provider-specific functionality

  • This is the only identity provider that can grant the root role.

Roles

  • The mrt identity provider grants you the root role, the highest role in a Morio system.
  • The mrt identity provider supports dropping privileges by requesting any role lower than root.

Configuration

  • The mrt identity provider is built-in and does not require configuration.
  • The mrt identity provider can be disabled with the DISABLE_IDP_MRT feature flag.
  • The mrt identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
  providers:
   mrt:
     # A label is optional 
     # Defaults to the ID of the identity provider (mrt)
     mrt: Morio Root Token
  ui:
    visibility:
      # Use 'icon' to hide the identity provider 
      # behind a lock icon on the login page
      mrt: icon
    order:
      mrt: 10

Morio API Keys

The Morio API Keys identity provider allows authentication with a Morio API Key and its matching secret.

Purpose

  • The apikey identity provider is intended for automated access, scripts, CI/CD pipelines, cron jobs, and so on.
  • The apikey identity provider is not intended for human operators, although it is commonly used by developers when working on Morio API integration.

Restrictions

  • The apikey identity provider does not allow choosing the API Key (username) or Secret (password).
  • The apikey identity provider does not support dropping privileges by assuming a different role — only the role assigned to the API Key can be used.
  • You can only have 1 instance of the apikeyidentity provider, and its ID must always be apikey.

Provider-specific functionality

Roles

  • The apikey identity provider allows for any role up to engineer. The root role cannot be assigned to an API Key.
  • The apikey identity provider does not allow creating an API Key with a role higher than one’s own.

Configuration

  • The apikey identity provider is built-in and does not require configuration.
  • The apikey identity provider can be disabled with the DISABLE_IDP_APIKEY feature flag.
  • The apikey identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
  providers:
   apikey:
     # A label is optional 
     # Defaults to the ID of the identity provider (mrt)
     label: API Key
  ui:
    visibility:
      # Use 'icon' to hide the identity provider 
      # behind a lock icon on the login page
      apikey: icon
    order:
      apikey: 20

Morio Accounts

The Morio Accounts identity provider allows authentication with the username, password, and TOTP token of a Local Morio User Account.

Purpose

  • The local identity provider is intended for access by humans.
  • The local identity provider is most suitable for smaller setups where no centralised identity provider — such as OpenID Connect or LDAP — is available, or as a backup when external identity providers are down.

Restrictions

  • The local identity provider requires Multi-Factor Authentication (MFA). This is mandatory and cannot be disabled.
  • You can only have 1 instance of the local identity provider, and its ID must always be local.

Provider-specific functionality

  • The local identity provider allows any user with the role manager or higher to create local Morio accounts.
  • The local identity provider generates an invite code and URL to be shared with users, facilitating onboarding.
  • The local identity provider will provide scratch codes to the user that can be used when their device used to generate the TOTP token is unavailable.
  • The Morio Management API provides various endpoints to handle Local Morio Accounts.

Roles

  • The local identity provider allows for any role up to engineer. The root role cannot be assigned to a Local Morio Account.
  • The local identity provider does not allow creating a local Morio account with a role higher than one’s own.

Configuration

  • The local identity provider is built-in and does not require configuration.
  • The local identity provider can be disabled with the DISABLE_IDP_LOCAL feature flag.
  • The local identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
  providers:
   local:
     # A label is optional
     # Defaults to the ID of the identity provider (local)
     label: Morio Account
  ui:
    visibility:
      # Use 'tab' to show the identity provider 
      # as a tab on the login page
      local: tabs
    order:
      local: 3

LDAP

The LDAP identity provider allows authentication against an LDAP backend.

Purpose

  • The ldap identity provider is intended for organisations that have pre-existing user identities available in an LDAP server or a system compatible with LDAP, such as Microsoft Active Directory.
  • The ldap identity provider is most suitable for environments where users already have an account on a different system that they also want to use to access Morio.

Restrictions

  • None.

Provider-specific functionality

  • The ldap identity provider allows configuring the assignment of Morio roles based on any field of the LDAP user object.
  • The ldap identity provider supports more than 1 instance of this provider, thus allowing you to use different LDAP backends simultaneously.

Roles

  • The ldap identity provider allows for any role up to engineer. The root role cannot be assigned to a user backed by the ldap identity provider.

Configuration

  • The ldap identity provider needs to be configured before it can be used.
  • The ldap identity provider can be disabled with the DISABLE_IDP_LDAP feature flag.
  • The ldap identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
  providers:
    ad: # You can choose the ID of the ldap provider instance
     provider: ldap # You cannot choose this, it must always be `ldap`
     label: Active Directory
     about: This is your Active Directory account, the same you use to login to your computer.
     server:
       url: "ldaps://dc1.tokyo.morio.it
       bindDN: "CN=morio-ldap,OU=Users,DC=tokyo,DC=morio,DC=it",
       bindCredentials: "{{{ AD_PASSWORD }}}",
       searchBase: "OU=Users-EU,DC=tokyo,DC=morio,DC=it",
       searchFilter: "(&(objectClass=user)(samaccountname={{username}}))"
     username_field: samaccountname
     rbac:
       user:
         attribute: samaccountname
         regex: .
       engineer:
         attribute: samaccountname
         list:
           - mario
           - luigi
  ui:
    visibility:
      # Use 'tab' to show the identity provider 
      # as a tab on the login page
      ad: tab
    order:
      ad: 2
secrets:
  AD_PASSWORD: "Your secret here"

OpenID Connect

The OpenID Connect identity provider allows authentication against an OpenID Connect (oidc) provider.

Purpose

  • The oidc identity provider is intended for organisations that have pre-existing user identities available in a system that supports OpenID Connect.
  • The oidc identity provider is most suitable for environments where users already have an account on a different system that they also want to use to access Morio.

Restrictions

  • None.

Provider-specific functionality

  • The oidc identity provider allows configuring the assignment of Morio roles based on any user property provided by the OpenID provider.
  • The oidc identity provider supports more than 1 instance of this provider, thus allowing you to use different OpenID providers simultaneously.

Roles

  • The oidc identity provider allows for any role up to engineer. The root role cannot be assigned to a user backed by the oidc identity provider.

Configuration

  • The oidc identity provider needs to be configured before it can be used.
  • The oidc identity provider can be disabled with the DISABLE_IDP_OIDC feature flag.
  • The oidc identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.

Settings Example

base-settings.yaml
iam:
  providers:
    gitlab: # You can choose the ID of the oidc provider instance
      provider: oidc # You cannot choose this, it must always be `oidc`
      label: GitLab
      about: Use your GitLab account to sign in to Morio
      issuer: https://git.morio.it
      client_id: 9f8afda548c112e70323ff60ff3d080b3216c691a05e69ca8b08e146085adf27
      client_secret: "{{{ GITLAB_OIDC_SECRET }}}"
      username_field: email
      rbac: 
        user: 
          attribute: email 
          regex: .
        engineer:
          attribute: email
          list:
            - mario@morio.it
            - luigi@morio.it
  ui:
    visibility:
      # Use 'tab' to show the identity provider 
      # as a tab on the login page
      gitlab: tab
    order:
      gitlab: 1
secrets:
  GITLAB_OIDC_SECRET: "Your GitLab secret here"