Using IAM Providers with Pangolin

As the lab setup is getting more developed, I looked into setting up an Identity and Access Management (IAM) provider to provide authentication capabilities to pangolin for single sign on (SSO). Following the setup, I would be able to add users using this provider and provide a streamlined way of doing authorization for my apps. Note that Pangolin does have it’s own authentication and user management - this exercise is primarily to become more knowledable with open ID connect (OIDC) and how it provides authentication. Majority of the self-hosted applications I am using are “community edition” which means they usually lack the bells and whistles that corporations use (such as SSO).

The OIDC provider I’m looking into is Authentik. A quick google search results in a number of other alternatives:

• Ory Hydra
• Authelia
• Keycloak
• PocketID (only passkeys)

Authentik seems more widely used with good documentation - my use case does not require an enterprise solution, but this also could be used in a small business scenario.

First challenge is getting the postgreSQL database working amongst multiple services. For instance, I recently self-hosted rybbit to provide an open source equivalent to google analytics. This application brings up a postgres database - which I should re-use to be memory / cpu efficient. At a glance, the default image shipped from docker hub only allows for one postgres user - and the suggestions are to either create your own image, or mount a volume of scripts to the container (which it will run on startup). Although neither is ideal, the least intrusive is mounting the volume since I will not need to rebuild the image if I want to upgrade the postgres version. Luckily there are some scripts (MIT licensed) that can help us out. There was this article which has a slightly more intuitive sytax for the script, and I’m not too worried about having the same user / password for multiple databases.

Once the database was setup, the documentation for integrating the identity provider with pangolin was straight forward. After setting up the admin account and configuring the OIDC information on both sides of the fence (callbacks, client id, client secret, etc.), the last hurdle was mapping the default policies for the pangolin organization. There was another article that helped out describing how to use the built-in expressions to declare default roles.

For the last bit of fun, I integrated another IAM provider in the form of Trimble Identity (full disclosure I work for Trimble). After following the documentation for TID and similar steps I used to setup Authentik, I now had another IAM provider.