Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for Linux

OpenID Identity Management Settings

This page documents settings for enabling external identity management using an OpenID Connect (OIDC)-compatible provider. See OpenID Connect Access Management for a tutorial on using these settings.

You can establish or modify settings by defining:

  • an environment variable on the host system prior to starting or restarting the MinIO Server. Refer to your operating system’s documentation for how to define an environment variable.

  • a configuration setting using mc admin config set.

  • a configuration setting using the MinIO Console’s Administrator > Settings pages.

If you define both an environment variable and the similar configuration setting, MinIO uses the environment variable value.

Some settings have only an environment variable or a configuration setting, but not both.

Important

Each configuration setting controls fundamental MinIO behavior and functionality. MinIO strongly recommends testing configuration changes in a lower environment, such as DEV or QA, before applying to production.

Examples

MINIO_IDENTITY_OPENID_CONFIG_URL="https://openid-provider.example.net/.well-known/openid-configuration"

Use mc admin config set to set or update the OpenID configuration. The config_url argument is required. Specify additional optional arguments as a whitespace (" ")-delimited list.

mc admin config set identity_openid                                               \
  config_url="https://openid-provider.example.net/.well-known/openid-configuration" \
  [ARGUMENT="VALUE"] ...

Settings

Config URL

Required

Specify the URL for the OIDC compatible provider discovery document.

The OIDC Discovery URL typically resembles the following:

https://openid-provider.example.net/.well-known/openid-configuration

Enabled

Optional

This setting does not have an environment variable option. Use the Configuration Setting instead.

Set to false to disable the OpenID configuration.

Applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider if set to false.

Defaults to true or “enabled”.

Client ID

Optional

Specify the unique public identifier MinIO uses when authenticating user credentials against the OIDC compatible provider.

Client Secret

Optional

Specify the client secret MinIO uses when authenticating user credentials against the OIDC compatible provider. This field may be optional depending on the provider.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

Role Policy

Optional

This setting is mutually exclusive with the Claim Name setting.

Specify a comma-separated list of policy names to use for the request’s RoleArn for all authentication requests for the provider. The specified policy or policies must already exist on the MinIO Server.

To use this OIDC configuration, you must specify the corresponding RoleArn in the STS request body.

Claim Name

Optional

This setting is mutually exclusive with the Role Policy setting.

Specify the name of the JWT Claim MinIO uses to identify the policies to attach to the authenticated user.

The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.

Defaults to policy.

Claim Prefix

Optional

This setting is deprecated and has been removed as of RELEASE.2024-07-13T01-46-15Z. Use MINIO_IDENTITY_OPENID_CLAIM_NAME instead.

Specify the JWT Claim namespace prefix to apply to the specified claim name.

Display Name

Optional

Specify the user-facing name the MinIO Console displays on the login screen.

Scopes

Optional

Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.

Redirect URI

Optional

This setting is deprecated and has been removed as of RELEASE.2024-07-13T01-46-15Z. Use MINIO_BROWSER_REDIRECT_URL instead.

Important

This parameter was removed in RELEASE.2023-02-27T18-10-45Z. Use the MINIO_BROWSER_REDIRECT_URL environment variable instead.

The MinIO Console defaults to using the hostname of the node making the authentication request. For MinIO deployments behind a load balancer or reverse proxy, specify this field to ensure the OIDC provider returns the authentication response to the correct MinIO Console URL. Include the Console hostname, port, and /oauth_callback:

http://minio.example.net:consoleport/oauth_callback

Ensure you start the MinIO Server with the --console-address option to set a static Console listen port. The default behavior with that option omitted is to select a random port number at startup.

The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.

Dynamic URI Redirect

Optional

The MinIO Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For MinIO deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different MinIO Node than the originating client.

Specify this option as on to direct the MinIO Console to use the Host header of the originating request to construct the redirect URI passed to the OIDC provider. Defaults to off.

User Info

Optional

Allow MinIO to fetch claims from the UserInfo Endpoint for the authenticated user.

Valid values are on or off.

Vendor

Optional

Specify the OIDC Vendor to enable specific supported behaviors for that vendor.

Supports the following value:

  • keycloak

Keycloak Realm

Optional

This setting requires that the OpenID Vendor setting be defined as keycloak.

Specify the Keycloak Realm to use as part of Keycloak Admin API Operations, such as main.

Keycloak Admin URL

Optional

This setting requires that the OpenID Vendor setting be defined as keycloak.

Specify the Keycloak Admin API URL. MinIO can use this URL if configured to periodically validate authenticated Keycloak users as active/existing. For example, https://keycloak-endpoint:port/admin/.

Comment

Optional

Specify a comment to associate with the OIDC compatible provider configuration.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License