Varnish Controller

Identity Provider

OpenID Connect

For Identity Provider login the Varnish Controller has support for the OpenID Connect protocol. When setting up the identity provider the OpenID Connect discovery manifest url needs to be provided. The Varnish Controller validates the specified manifest to ensure it can be read and the configuration is supported in the Varnish Controller. The Varnish Controller team recommends to use Keycloak as Keycloak gets tested with every version of the Varnish Controller. There is no guarantee for other identity providers that also supports the OpenID Connect protocol.

Via Keycloak, which is a open source software, it is possible to use Github, Google, Facebook, LDAP, AD, etc. Hence, Keycloak will act as a proxy for different third-party authentication services. This is setup per organization and cannot be setup globally.

When users login for the first time into the Varnish Controller through an IDP they won’t have any permissions. The organization admin or system administrator has to manually assign permissions to each new IDP user because OpenID Connect has no support for managing permissions.

When logging in with IDP there will be one unique account per organization, even if the same IDP configuration is used for a different organization. In that case the system administrator will see 2 accounts in the Varnish Controller, but the user still logs in with the same credentials for both organizations. This is important as when the IDP configuration is deleted from an organization, all IDP users for that organization will be removed as well. This ensures that active sessions will be deleted and IDP users will be forcefully logged out. Non-IDP users of the organization are not affected and will stay logged in.

OpenID Connect does not have a notification endpoint for when sessions are revoked in the IDP. Therefore the sessions in the Varnish Controller will have to be manually removed. When revoking sessions or users are logging out the sessions in the IDP will be revoked, the Varnish Controller will send a back-channel logout request to the IDP to ensure sessions are closed.

Access Tokens

When login is done via IDP for an organization the given access and refresh tokens are taken care of by Varnish Controller and new tokens are handed out from Varnish Controller that is generated and signed by Varnish Controller. The access and refresh token handling is therefore the same if the user logs in via IDP or basic auth to Varnish Controller.

Identity Provider Installation

See Identity Provider Installation for installation and configuration with Keycloak.