Identity Providers
Identity providers allow users to authenticate with OctoMesh using external identity systems. Each tenant can configure multiple providers independently.
Provider Types
| Type | Use Case | Key Properties |
|---|---|---|
| Google OAuth 2.0 | ClientId, ClientSecret | |
| Microsoft | Microsoft Account OAuth 2.0 | ClientId, ClientSecret |
| Facebook OAuth 2.0 | ClientId, ClientSecret | |
| Azure Entra ID | Corporate Azure AD / Entra ID | TenantId, ClientId, ClientSecret, Authority |
| OpenLDAP | LDAP directory authentication | Host, Port, UserBaseDn, UserNameAttribute |
| Active Directory | Microsoft Active Directory (LDAPS) | Host, Port |
| OctoTenant | Cross-tenant authentication via parent tenant | ParentTenantId |
Common Properties
All identity providers share these base properties:
| Property | Description | Default |
|---|---|---|
| Name | Unique display name (3-100 chars) | — |
| IsEnabled | Whether the provider is active | — |
| AllowSelfRegistration | Allow new users to register on first login | true |
| DefaultGroupRtId | RtId of a group to assign to new users | null |
| Description | Optional description | null |
AllowSelfRegistration
When true (default), any user who authenticates via this provider is automatically registered in the tenant on first login. When false, users must be pre-created by an administrator before they can log in.
DefaultGroupRtId
When set, new users who register via this provider are automatically added to the specified group, inheriting all of that group's roles. This is useful for granting a baseline set of permissions to all users from a particular provider.
Configuring Providers via CLI
OAuth Providers (Google, Microsoft, Facebook)
octo-cli -c AddOAuthIdentityProvider \
-n "Google Login" \
-t "google" \
-cid "<client-id>" \
-cs "<client-secret>" \
-e true \
-asr true \
-dgid "<default-group-rtid>"
Azure Entra ID
octo-cli -c AddAzureEntryIdIdentityProvider \
-n "Corporate Azure AD" \
-t "<azure-tenant-id>" \
-cid "<client-id>" \
-cs "<client-secret>" \
-e true \
-asr true \
-dgid "<default-group-rtid>"
OpenLDAP
octo-cli -c AddOpenLdapIdentityProvider \
-n "Corporate LDAP" \
-h "ldap.example.com" \
-p 636 \
-ubdn "cn=users,dc=example,dc=com" \
-uan "uid" \
-e true \
-asr false
Active Directory
octo-cli -c AddAdIdentityProvider \
-n "Corporate AD" \
-h "ad.example.com" \
-p 636 \
-e true
OctoTenant (Cross-Tenant)
octo-cli -c AddOctoTenantIdentityProvider \
-n "Parent Tenant Auth" \
-ptid "<parent-tenant-id>" \
-e true \
-asr true \
-dgid "<default-group-rtid>"
See Cross-Tenant Authentication for details on how OctoTenant providers work.
Update Provider
The update command works for all provider types. It fetches the existing provider, preserves type-specific properties, and applies the changes:
octo-cli -c UpdateIdentityProvider \
-id "<provider-rtid>" \
-n "Updated Name" \
-e true \
-asr false \
-dgid "<default-group-rtid>"
For OAuth-based providers, you can also update the client credentials:
octo-cli -c UpdateIdentityProvider \
-id "<provider-rtid>" \
-n "Updated Name" \
-e true \
-cid "<new-client-id>" \
-cs "<new-client-secret>"
Delete Provider
octo-cli -c DeleteIdentityProvider -id "<provider-rtid>"
List Providers
octo-cli -c GetIdentityProviders