Identity Providers
Identity providers allow users to authenticate with OctoMesh using external identity systems such as Google, Microsoft, Azure Entra ID, LDAP, or Active Directory. Each tenant configures its own set of providers independently.
The Identity Providers page requires the TenantManagement role. It is only visible in the sidebar if you have this role assigned.
Accessing Identity Providers
Navigate to Identity > Identity Providers to access the provider management interface.
The list shows all configured identity providers:
| Column | Description |
|---|---|
| Name | Display name of the provider |
| Type | Provider type (e.g., Google, Azure Entra ID, OpenLDAP) |
| Enabled | Whether the provider is active |
| Description | Optional description |
Toolbar Actions
| Button | Description |
|---|---|
| New Provider | Configure a new identity provider |
| Search | Filter providers by name or type |
| Export to Excel | Export the provider list to an Excel file |
| Export to PDF | Export the provider list to a PDF file |
| Refresh Data | Reload the provider list |
Row and Context Actions
| Action | Description |
|---|---|
| Edit | Open the provider in the edit form |
| Delete | Delete the provider (context menu, with confirmation) |
Creating an Identity Provider
Click New Provider to open the provider creation form.
Provider Type
First, select the provider type from the dropdown. The form dynamically shows the relevant configuration fields based on the selected type.
| Type | Description |
|---|---|
| Google OAuth 2.0 authentication | |
| Microsoft | Microsoft Account OAuth 2.0 authentication |
| Facebook OAuth 2.0 authentication | |
| Azure Entra ID | Corporate Azure AD / Entra ID authentication |
| OpenLDAP | LDAP directory authentication |
| Active Directory | Microsoft Active Directory (LDAPS) |
| OctoTenant | Cross-tenant authentication via a parent tenant |
General Information
These fields are shown for all provider types:
| Field | Required | Description |
|---|---|---|
| Name | Yes | Display name for the provider (shown on the login page) |
| Description | No | Optional description |
| Enabled | — | Whether the provider is active (checkbox) |
Login Configuration
These options control how new users are handled:
| Field | Description |
|---|---|
| Allow Self-Registration | When enabled, users who authenticate via this provider are automatically registered in the tenant on first login. When disabled, users must be pre-created by an administrator. |
| Default Group | When set, new users from this provider are automatically added to the selected group, inheriting all of its roles. |
Use the Default Group setting to automatically grant a baseline set of permissions to all users from a specific provider. For example, set it to a "Viewers" group so all new users can immediately view dashboards.
OAuth Configuration (Google, Microsoft, Facebook, Azure Entra ID)
| Field | Required | Description |
|---|---|---|
| Client ID | Yes | OAuth client ID from the provider's developer console |
| Client Secret | Yes | OAuth client secret from the provider's developer console |
In edit mode, the client secret is not displayed (it is stored encrypted). Click Set New Secret to replace it.
Azure Entra ID Configuration
Shown in addition to the OAuth fields when Azure Entra ID is selected:
| Field | Required | Description |
|---|---|---|
| Tenant ID | Yes | Azure AD tenant ID (directory ID) |
| Authority | No | Authority URL (defaults to https://login.microsoftonline.com) |
Directory Server Configuration (OpenLDAP, Active Directory)
| Field | Required | Description |
|---|---|---|
| Host | Yes | LDAP server hostname or IP address |
| Port | Yes | LDAP server port (typically 636 for LDAPS) |
| Use TLS | — | Enable TLS encryption (checkbox) |
User Configuration (OpenLDAP only)
| Field | Required | Description |
|---|---|---|
| User Base DN | Yes | Base Distinguished Name for user searches (e.g., ou=users,dc=example,dc=com) |
| User Name Attribute | Yes | LDAP attribute used as the username (e.g., uid) |
OctoTenant Configuration
| Field | Required | Description |
|---|---|---|
| Parent Tenant ID | Yes | The tenant ID of the parent tenant to authenticate against |
The OctoTenant provider delegates authentication to a parent tenant. Users from the parent tenant can then log into this tenant using their existing credentials. See the Cross-Tenant Authentication technology guide for details.
Click Save to create the provider or Cancel to discard.
Editing an Identity Provider
Click Edit on a provider row to open the edit form. The provider type cannot be changed after creation. All other fields can be modified.
Deleting an Identity Provider
Right-click a provider and select Delete. Confirm the deletion in the dialog.
Deleting an identity provider prevents all users who rely on it from logging in. Users who have only registered via this provider will no longer be able to authenticate. Make sure to provide an alternative authentication method before deleting a provider.
Default Identity Providers
The system tenant is automatically configured with two default identity providers:
| Provider | Type | Enabled |
|---|---|---|
| Google OAuth 2.0 | No (disabled by default) | |
| Microsoft | Microsoft Account OAuth 2.0 | No (disabled by default) |
To enable them, edit the provider and supply the required Client ID and Client Secret from the respective developer consoles, then set Enabled to true.
Child tenants do not receive Google and Microsoft providers by default. Instead, they automatically receive an OctoTenant provider pointing to the parent tenant, enabling cross-tenant authentication. You can manually add additional providers as needed.