MinIO supports multiple external identity managers through the following IDentity Providers (IDP):
The following tutorials provide specific guidance for select IDP software:
Users can authenticate against MinIO using their externally managed credentials and the related Security Token Service (STS) API. Once authenticated, MinIO attempts to associate the user with one or more configured policies. A user with no associated policies has no permissions on the MinIO deployment.
MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities. Configuring an external IDP enables Single-Sign On workflows, where applications authenticate against the external IDP before accessing MinIO.
MinIO uses Policy Based Access Control (PBAC) to define the actions and resources to which an authenticated user has access. MinIO supports creating and managing policies which an externally managed user can claim.
MinIO by default looks for a
policy claim and reads a list of one or more policies to assign. MinIO attempts to match existing policies to those specified in the JWT claim.
If none of the specified policies exist on the MinIO deployment, MinIO denies authorization for any and all operations issued by that user.
For example, consider a claim with the following key-value assignment:
The specified policy claim directs MinIO to attach the policies with names matching
read_logs to the authenticated user.
See OpenID Connect Access Management for more information on mapping MinIO policies to an OIDC-managed identity.
You can use a JWT Debugging tool to decode the returned JWT token and validate that the user attributes include the specified claim. See RFC 7519: JWT Claim for more information on JWT claims. Defer to the documentation for your preferred OIDC provider for instructions on configuring user claims.
MinIO supports using an Active Directory or LDAP (AD/LDAP) service for external management of user identities. Configuring an external IDentity Provider (IDP) enables Single-Sign On (SSO) workflows, where applications authenticate against the external IDP before accessing MinIO.
MinIO queries the configured Active Directory / LDAP server to verify the credentials specified by the application and optionally return a list of groups in which the user has membership. This process, called Lookup-Bind mode, uses an AD/LDAP user with minimal permissions, only sufficient to authenticate with the AD/LDAP server for user and group lookups.
MinIO uses Policy Based Access Control (PBAC) to define the actions and resources to which an authenticated user has access. When using an Active Directory/LDAP server for identity management (authentication), MinIO maintains control over access (authorization) through PBAC.
When a user successfully authenticates to MinIO using their AD/LDAP credentials, MinIO searches for all policies which are explicitly associated to that user’s Distinguished Name (DN).
Specifically, the policy must be assigned to a user with a matching DN using the
mc idp ldap policy attach command.
MinIO also supports querying for the user’s AD/LDAP group membership. MinIO attempts to match existing policies to the DN for each of the user’s groups. The authenticated users complete set of permissions consists of its explicitly assigned and group-inherited policies. See Group Lookup for more information.
MinIO uses deny-by-default behavior where a user with no explicitly assigned or group-inherited policies cannot access any resource on the MinIO deployment.
MinIO supports querying the Active Directory / LDAP server for a list of groups in which the authenticated user has membership. MinIO attempts to match existing policies to each group DN and assigns each matching policy to the authenticated user.
The MinIO Operator Console provides the necessary fields for configuring Group Lookup as part of configuring AD/LDAP identity management for new or existing MinIO Tenants.