Run Commands


Learn how to authenticate with Auth0.

Before You Start #

  • You must have an Enterprise Server set up.
  • This guide assumes you are using the embedded proxy.
  • This guide uses Auth0 as an example; if you do not have an Auth0 account, sign up for one and create your Pool of Users.

1. Register With Your IdP #

  1. Log in to your Auth0 account.
  2. In Applications, click Create Application.
  3. Type the name of your application, such as Pachyderm.
  4. In the application type, select Regular Web Application.
  5. Click Create.
  6. Go to the application settings.
  7. Scroll down to Application URIs.
  8. In the Allowed Callback URLs, add the Pachyderm callback link in the following format:
# Dex's issuer URL + "/callback"
  1. Scroll down to Show Advanced Settings.
  2. Select Grant Types.
  3. Verify that Authorization Code and Refresh Token are selected.

Auth0 Grant Settings

2. Set Up Connector #

  1. Create a JSON or YAML connector config file that matches your IdP.
  1. Update the following attributes:
idThe unique identifier of your connector (string).
nameIts full name (string).
typeThe type of connector. (oidc, saml).
versionThe version of your connector (integer - default to 0 when creating a new connector)
issuerThe domain of your application (here in Auth0). For example, Note the trailing slash.
client_idThe Pachyderm Client ID (here in Auth0). The client ID consists of alphanumeric characters and can be found on the application
settings page.
client_secretThe Pachyderm client secret (here in Auth0) located on the application settings page.
redirect_uriThis parameter should match what you have added to Allowed Callback URLs when registering Pachyderm on your IdP website.
  1. Open your Helm values.yml file.
  2. Find the oidc.upstreamIDPs section.
  3. Input your connector info; Pachyderm stores this value in the platform secret pachyderm-identity in the key upstream-idps.
upstream-idps: |
    - type: github
    id: github
    name: GitHub
    jsonConfig: >-
        "clientID": "xxx",
        "clientSecret": "xxx",
        "redirectURI": "",
        "loadAllGroups": true

Alternatively, you can create a secret containing your dex connectors (Key: upstream-idps) and reference its name in the field oidc.upstreamIDPsSecretName.

3. Login #

The users registered with your IdP are now ready to Log in to Pachyderm

Considerations #

Ingress #

When using an ingress:

  • redirect_uri must be changed to point to https://domain-name/dex/callback. (Note the additional /dex/)
  • TLS requires all non-localhost redirectURIs to be HTTPS.
    • You must use TLS when deploying on Azure.
    • When using Azure Active Directory, add the following to the oidc config:
        "claimMapping": {
            "email": "preferred_username"