Skip to main content

Authentication

After installation, Coroot will prompt you to set a password for the admin user:

Setting Admin Password

To prevent someone else from setting the admin password before you, you can specify the initial password using the --auth-bootstrap-admin-password CLI argument or the AUTH_BOOTSTRAP_ADMIN_PASSWORD environment variable. This initial password can be changed later through the UI.

Anonymous mode

To disable authentication, use the --auth-anonymous-role CLI argument or the AUTH_ANONYMOUS_ROLE environment variable, setting it to one of the following roles: Admin, Editor, or Viewer.

Reset admin password

To reset admin password, use the following command:

$ coroot set-admin-password
Enter new password:
Confirm new password:
Admin password set successfully.

Manage users

To manage Coroot users, go to the Project Settings, click on Organization:

Manage Users

To add a new user, click "Add user", fill out the form, and select a role.

Add user

The Coroot Community Edition includes three predefined roles: Admin, Editor, and Viewer. The Enterprise Edition allows you to create custom roles with granular permissions.

Single Sign-On (SSO)

info

Single Sign-On is available only in Coroot Enterprise (from $1 per CPU core/month). Start your free trial today.

Single Sign-On (SSO) feature streamlines user authentication by allowing team members to access the Coroot platform using a single set of credentials linked to an identity provider, such as Google Workspace, Okta, or other SSO solutions. With SSO, users no longer need to manage separate passwords for Coroot, enhancing both security and user experience.

Coroot's Single Sign-On (SSO) uses the SAML protocol, where Coroot acts as the service provider (SP). SAML allows users to log in through an identity provider (IdP) and access Coroot without needing separate credentials. This makes the login process easier and more secure by centralizing authentication through the IdP.

Setup SAML with Okta

  • Log in to the Okta portal.
  • Go to the Admin Console in your Okta organization.
  • Navigate to Applications > Applications.
  • Click Create App Integration.
  • Select SAML 2.0 as the Sign-in method.
  • Click Next.
  • On the General Settings tab, enter a name for your Coroot integration. You can also upload the logo. Okta app
  • On the Configure SAML tab:
    • For both Single sign on URL and Audience URI (SP Entity ID) fields use the https://COROOT_ADDRESS/sso/saml URL. SAML Okta params
    • In the Attribute Statements section, configure Email, FirstName, and LastName attributes. Okta SAML attributes
  • Click Next.
  • On the final Feedback tab, fill out the form and then click Finish.
  • Download Identity Provider Metadata XML using the Metadata URL: Okta SAML metadata
  • Configure and enable SAML authentication for Coroot.

Setup SAML with Keycloak

  • Log in to Keycloak as an administrator.
  • Select Clients, then click Create client. Keycloak client general settings
  • Click Next and configure the Home URL and Valid redirect URIs fields. Keycloak client login settings
  • Save the client.
  • Under the Keys tab, set Client signature required to Off. Keycloak client keys settings
  • Navigate to the Client scopes tab and click http://<COROOT ADDRESS>/sso/saml-dedicated. Keycloak client scopes
  • Click Add predefined mapper, select the X500 email, X500 givenName, and X500 surname attributes, and click Add. Keycloak client mappers
  • Configure attributes mapping.
    info

    Coroot expects to receive the following attributes: Email, FirstName, and LastName

    Keycloak client mappers
    • Click X500 email and set SAML Attribute Name to Email, and SAML Attribute NameFormat to Basic. Keycloak client mappers Email
    • Click X500 givenName and set SAML Attribute Name to FirstName, and SAML Attribute NameFormat to Basic. Keycloak client mappers Email
    • Click X500 surname and set SAML Attribute Name to LastName, and SAML Attribute NameFormat to Basic. Keycloak client mappers Email
  • Within you realm, select Realm settings and download SAML 2.0 Identity Provider Metadata Keycloak SAML metadata
  • Configure and enable SAML authentication for Coroot.

Configure SAML for Coroot

  • Navigate to the Project Settings > Organization > Single Sign-On (SAML) section.

    SSO

  • Use the Upload Identity Provider Metadata XML button to upload the IDP metadata file that was previously downloaded.

  • Click Save and Enable.

    SSO Enabled

  • Once Single Sign-On is enabled, Coroot will redirect your team members to the Identity Provider for authentication.

Each team member authenticated through the Identity Provider will be displayed in the Users list in Coroot, allowing you to manually change their roles.

Troubleshooting

Use http://<COROOT_ADDRESS>/login page and the admin user credentials to log in to your Coroot instance if you encounter any issues with SSO.

Looking for 24/7 support from the Coroot team? Subscribe to Coroot Enterprise:Start free trial