Identity Providers Guide
In Morio, all HTTP-based authentication is backed by Identity Providers (IDPs), a modular way to configure authentication backends for your Morio deployment.
Morio supports the following types of identity providers:
Morio Root Token
The Morio Root Token identity provider (mrt
) allows authentication with
the Morio Root Token.
Purpose
- The
mrt
identity provider is intended to be used as the very first Morio login before other identity providers are set up. - The
mrt
identity provider also serves as a sort of break glass fallback that can be used when other identity providers are unavailable.
Restrictions
- The
mrt
identity provider requires the Morio Root Token to authenticate, which is created at the initial setup of Morio, and only shown at that time. - The
mrt
identity provider only takes the Morio Root Token as input — there is no username. - You can only have 1 instance of the
mrt
identity provider.
Provider-specific functionality
- This is the only identity provider that can grant the
root
role.
Roles
- The
mrt
identity provider grants you theroot
role, the highest role in a Morio system. - The
mrt
identity provider supports dropping privileges by requesting any role lower thanroot
.
Configuration
- The
mrt
identity provider is built-in and does not require configuration. - The
mrt
identity provider can be disabled with theDISABLE_IDP_MRT
feature flag. - The
mrt
identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.
Settings Example
- Base Settings
- Settings Overlay
iam:
providers:
mrt:
# A label is optional
# Defaults to the ID of the identity provider (mrt)
mrt: Morio Root Token
ui:
visibility:
# Use 'icon' to hide the identity provider
# behind a lock icon on the login page
mrt: icon
order:
mrt: 10
iam.ui.providers.mrt.label: Morio Root Token
iam.ui.visibility.mrt: icon
iam.ui.order.mrt: 10
Morio API Keys
The Morio API Keys identity provider allows authentication with a Morio API Key and its matching secret.
Purpose
- The
apikey
identity provider is intended for automated access, scripts, CI/CD pipelines, cron jobs, and so on. - The
apikey
identity provider is not intended for human operators, although it is commonly used by developers when working on Morio API integration.
Restrictions
- The
apikey
identity provider does not allow choosing the API Key (username) or Secret (password). - The
apikey
identity provider does not support dropping privileges by assuming a different role — only the role assigned to the API Key can be used. - You can only have 1 instance of the
apikey
identity provider, and its ID must always beapikey
.
Provider-specific functionality
- The
apikey
identity provider allows creating API Keys by any Morio user. - The Morio Management API provides various endpoints to handle API Keys.
Roles
- The
apikey
identity provider allows for any role up toengineer
. Theroot
role cannot be assigned to an API Key. - The
apikey
identity provider does not allow creating an API Key with a role higher than one’s own.
Configuration
- The
apikey
identity provider is built-in and does not require configuration. - The
apikey
identity provider can be disabled with theDISABLE_IDP_APIKEY
feature flag. - The
apikey
identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.
Settings Example
- Base Settings
- Settings Overlay
iam:
providers:
apikey:
# A label is optional
# Defaults to the ID of the identity provider (mrt)
label: API Key
ui:
visibility:
# Use 'icon' to hide the identity provider
# behind a lock icon on the login page
apikey: icon
order:
apikey: 20
iam.providers.apikey.label: API Key
iam.ui.visibility.mrt: icon
iam.ui.order.mrt: 10
Morio Accounts
The Morio Accounts identity provider allows authentication with the username, password, and TOTP token of a Local Morio User Account.
Purpose
- The
local
identity provider is intended for access by humans. - The
local
identity provider is most suitable for smaller setups where no centralised identity provider — such as OpenID Connect or LDAP — is available, or as a backup when external identity providers are down.
Restrictions
- The
local
identity provider requires Multi-Factor Authentication (MFA). This is mandatory and cannot be disabled. - You can only have 1 instance of the
local
identity provider, and its ID must always belocal
.
Provider-specific functionality
- The
local
identity provider allows any user with the rolemanager
or higher to create local Morio accounts. - The
local
identity provider generates an invite code and URL to be shared with users, facilitating onboarding. - The
local
identity provider will provide scratch codes to the user that can be used when their device used to generate the TOTP token is unavailable. - The Morio Management API provides various endpoints to handle Local Morio Accounts.
Roles
- The
local
identity provider allows for any role up toengineer
. Theroot
role cannot be assigned to a Local Morio Account. - The
local
identity provider does not allow creating a local Morio account with a role higher than one’s own.
Configuration
- The
local
identity provider is built-in and does not require configuration. - The
local
identity provider can be disabled with theDISABLE_IDP_LOCAL
feature flag. - The
local
identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.
Settings Example
- Base Settings
- Settings Overlay
iam:
providers:
local:
# A label is optional
# Defaults to the ID of the identity provider (local)
label: Morio Account
ui:
visibility:
# Use 'tab' to show the identity provider
# as a tab on the login page
local: tabs
order:
local: 3
iam.providers.local.label: Morio Account
iam.ui.visibility.local: tab
iam.ui.order.mrt: 3
LDAP
The LDAP identity provider allows authentication against an LDAP backend.
Purpose
- The
ldap
identity provider is intended for organisations that have pre-existing user identities available in an LDAP server or a system compatible with LDAP, such as Microsoft Active Directory. - The
ldap
identity provider is most suitable for environments where users already have an account on a different system that they also want to use to access Morio.
Restrictions
- None.
Provider-specific functionality
- The
ldap
identity provider allows configuring the assignment of Morio roles based on any field of the LDAP user object. - The
ldap
identity provider supports more than 1 instance of this provider, thus allowing you to use different LDAP backends simultaneously.
Roles
- The
ldap
identity provider allows for any role up toengineer
. Theroot
role cannot be assigned to a user backed by theldap
identity provider.
Configuration
- The
ldap
identity provider needs to be configured before it can be used. - The
ldap
identity provider can be disabled with theDISABLE_IDP_LDAP
feature flag. - The
ldap
identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.
Settings Example
- Base Settings
- Settings Overlay
iam:
providers:
ad: # You can choose the ID of the ldap provider instance
provider: ldap # You cannot choose this, it must always be `ldap`
label: Active Directory
about: This is your Active Directory account, the same you use to login to your computer.
server:
url: "ldaps://dc1.tokyo.morio.it
bindDN: "CN=morio-ldap,OU=Users,DC=tokyo,DC=morio,DC=it",
bindCredentials: "{{{ AD_PASSWORD }}}",
searchBase: "OU=Users-EU,DC=tokyo,DC=morio,DC=it",
searchFilter: "(&(objectClass=user)(samaccountname={{username}}))"
username_field: samaccountname
rbac:
user:
attribute: samaccountname
regex: .
engineer:
attribute: samaccountname
list:
- mario
- luigi
ui:
visibility:
# Use 'tab' to show the identity provider
# as a tab on the login page
ad: tab
order:
ad: 2
secrets:
AD_PASSWORD: "Your secret here"
iam.providers.ad:
provider: ldap
label: Active Directory
about: This is your Active Directory account, the same you use to login to your computer.
server:
url: "ldaps://dc1.tokyo.morio.it
bindDN: "CN=morio-ldap,OU=Users,DC=tokyo,DC=morio,DC=it",
bindCredentials: "{{{ AD_PASSWORD }}}",
searchBase: "OU=Users-EU,DC=tokyo,DC=morio,DC=it",
searchFilter: "(&(objectClass=user)(samaccountname={{username}}))"
username_field: samaccountname
rbac:
user:
attribute: samaccountname
regex: .
engineer:
attribute: samaccountname
list:
- mario
- luigi
iam.ui.visibility.ad: tab
iam.ui.order.ad: 2
secrets.AD_PASSWORD: "Your secret here"
OpenID Connect
The OpenID Connect identity provider allows authentication against an OpenID Connect (oidc
) provider.
Purpose
- The
oidc
identity provider is intended for organisations that have pre-existing user identities available in a system that supports OpenID Connect. - The
oidc
identity provider is most suitable for environments where users already have an account on a different system that they also want to use to access Morio.
Restrictions
- None.
Provider-specific functionality
- The
oidc
identity provider allows configuring the assignment of Morio roles based on any user property provided by the OpenID provider. - The
oidc
identity provider supports more than 1 instance of this provider, thus allowing you to use different OpenID providers simultaneously.
Roles
- The
oidc
identity provider allows for any role up toengineer
. Theroot
role cannot be assigned to a user backed by theoidc
identity provider.
Configuration
- The
oidc
identity provider needs to be configured before it can be used. - The
oidc
identity provider can be disabled with theDISABLE_IDP_OIDC
feature flag. - The
oidc
identity provider’s inclusion or appearance on the UI’s login page can be configured in the UI settings.
Settings Example
- Base Settings
- Settings Overlay
iam:
providers:
gitlab: # You can choose the ID of the oidc provider instance
provider: oidc # You cannot choose this, it must always be `oidc`
label: GitLab
about: Use your GitLab account to sign in to Morio
issuer: https://git.morio.it
client_id: 9f8afda548c112e70323ff60ff3d080b3216c691a05e69ca8b08e146085adf27
client_secret: "{{{ GITLAB_OIDC_SECRET }}}"
username_field: email
rbac:
user:
attribute: email
regex: .
engineer:
attribute: email
list:
- mario@morio.it
- luigi@morio.it
ui:
visibility:
# Use 'tab' to show the identity provider
# as a tab on the login page
gitlab: tab
order:
gitlab: 1
secrets:
GITLAB_OIDC_SECRET: "Your GitLab secret here"
iam.providers.gitlab:
provider: oidc
label: GitLab
about: Use your GitLab account to sign in to Morio
issuer: https://git.morio.it
client_id: 9f8afda548c112e70323ff60ff3d080b3216c691a05e69ca8b08e146085adf27
client_secret: "{{{ GITLAB_OIDC_SECRET }}}"
username_field: email
rbac:
user:
attribute: email
regex: .
engineer:
attribute: email
list:
- mario@morio.it
- luigi@morio.it
iam.ui.visibility.gitlab: tab
iam.ui.order.gitlab: 1
secrets.GITLAB_OIDC_SECRET: "Your GitLab secret here"