Configure single sign-on (SSO) authentication

COMMERCIAL FEATURE: Access authentication providers for single sign-on (SSO) in the packaged Sensu Go distribution. For more information, read Get started with commercial features.

Sensu requires username and password authentication to access the web UI, API, and sensuctl command line tool.

In addition to the built-in basic authentication, Sensu offers commercial support for using Lightweight Directory Access Protocol (LDAP), Active Directory (AD), or OpenID Connect 1.0 protocol (OIDC) for single sign-on (SSO) authentication.

This guide describes general information for configuring an authentication provider for SSO. Read the LDAP, AD, or OIDC reference documentation for provider-specific examples and specifications.

Configure authentication providers

To configure an external authentication provider for SSO, first write an authentication provider configuration definition. Follow the examples and specifications for your provider:

Save your configuration definition to a file, such as authconfig.yaml or authconfig.json.

After you have a saved configuration definition, you can apply the configuration with sensuctl. Log in to sensuctl as the default admin user and use sensuctl to apply your authentication provider configuration to Sensu:

sensuctl create --file authconfig.yml
sensuctl create --file authconfig.json

Use sensuctl to verify that your provider configuration was applied successfully:

sensuctl auth list

The response will list your authentication provider types and names:

 Type     Name    
────── ────────── 
 ldap   openldap

Manage authentication providers

View and delete authentication providers with enterprise/authentication/v2 API endpoints or these sensuctl commands.

To view active authentication providers:

sensuctl auth list

To view configuration details for an authentication provider named openldap:

sensuctl auth info openldap

To delete an authentication provider named openldap:

sensuctl auth delete openldap