Search
Varnish Controller
Introduction Changelog Known Issues Upgrading Deprecation Version 6 Version 5 Version 4 Version 3 Version 2 Version 1 Versioning License Features System Overview Demo Concepts Agent Router RoutingRules Tag VCL Domain Deployment Certificates VCLGroup Deployment Types API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples User Interface API API examples Invalidations Varnish Statistics Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC FAQ Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Organizations Private Agents Debugging Multiple Regions Staged Deployment Drain Traffic Config/ConfigSet

Identity Provider

OpenID Connect

For Identity Provider login the Varnish Controller has support for the OpenID Connect protocol. When setting up the identity provider the OpenID Connect discovery manifest url needs to be provided. The Varnish Controller validates the specified manifest to ensure it can be read and the configuration is supported in the Varnish Controller. The Varnish Controller team recommends to use Keycloak as Keycloak gets tested with every version of the Varnish Controller. There is no guarantee for other identity providers that also supports the OpenID Connect protocol.

Via Keycloak, which is a open source software, it is possible to use Github, Google, Facebook, LDAP, AD, etc. Hence, Keycloak will act as a proxy for different third-party authentication services. This is setup per organization and cannot be setup globally.

When users login for the first time into the Varnish Controller through an IDP they won’t have any permissions. The organization admin or system administrator has to manually assign permissions to each new IDP user because OpenID Connect has no support for managing permissions.

When logging in with IDP there will be one unique account per organization, even if the same IDP configuration is used for a different organization. In that case the system administrator will see 2 accounts in the Varnish Controller, but the user still logs in with the same credentials for both organizations. This is important as when the IDP configuration is deleted from an organization, all IDP users for that organization will be removed as well. This ensures that active sessions will be deleted and IDP users will be forcefully logged out. Non-IDP users of the organization are not affected and will stay logged in.

OpenID Connect does not have a notification endpoint for when sessions are revoked in the IDP. Therefore the sessions in the Varnish Controller will have to be manually removed. When revoking sessions or users are logging out the sessions in the IDP will be revoked, the Varnish Controller will send a back-channel logout request to the IDP to ensure sessions are closed.

Access Tokens

When login is done via IDP for an organization the given access and refresh tokens are taken care of by Varnish Controller and new tokens are handed out from Varnish Controller that is generated and signed by Varnish Controller. The access and refresh token handling is therefore the same if the user logs in via IDP or basic auth to Varnish Controller.

Identity Provider Installation

See Identity Provider Installation for installation and configuration with Keycloak.

Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
News
Varnish Enterprise 6.0.12r8
Varnish Helm Chart 1.3.0
A note on how Varnish handles an HTTP/2 CONTINUATION flood
Varnish Enterprise 6.0.12r7
Varnish Controller 6.0.2
News archive