Advanced SSO configuration
Multiple identity providers​
To configure multiple identity providers:
- Configure each provider using the same steps as above, but with the appropriate slot name (for example
provider1,provider2) - Make sure to set the
INFRAHUB_SECURITY_OIDC_PROVIDERSorINFRAHUB_SECURITY_OAUTH2_PROVIDERSvariable to include all configured providers
- environment-variables
- infrahub-toml
# Configuration for first provider
export INFRAHUB_OIDC_PROVIDER1_*
# Configuration for second provider
export INFRAHUB_OIDC_PROVIDER2_*
# Then enable the providers
export INFRAHUB_SECURITY_OIDC_PROVIDERS='["provider1", "provider2"]'
[security.oidc_provider_settings.provider1]
# Configuration for first provider
[security.oidc_provider_settings.provider2]
# Configuration for second provider
[security]
# Then enable the providers
oidc_providers = ["provider1", "provider2"]
Group mapping​
Infrahub can automatically assign users to groups based on information from your identity provider.
By default, groups must exist in Infrahub before they can be assigned. Infrahub can also auto-create groups from provider claims when auto-creation is enabled.
Step 1: Configure group claims in your identity provider​
Configure your identity provider application to include group information in the authentication tokens sent to Infrahub.
Refer to your provider's documentation for instructions on "group claims" or "configuring OAuth2/OIDC group mappings".
Step 2: Create corresponding groups in Infrahub​
Create groups in Infrahub that match the groups sent by your identity provider.
Some providers send group IDs instead of display names. Create groups in Infrahub with the exact same IDs your provider sends, and use the label field to store human-friendly names.
Follow these steps to create groups:
- Navigate to
Admin>Users and Permissions>Groups - Click
+ Create Account Group - Enter the exact name of the group as sent by your identity provider
- Optionally, add a description and assign permissions
- Click
Save - Repeat for each group you want to map
Every SSO authentication attempt is logged in the Infrahub server logs. These logs contain detailed information about the groups received from your identity provider.
For example:
SSO user authenticated [infrahub] app=infrahub.api body={'user_name': 'Otto the otter', 'groups': ['Admin Otter']}
To confirm group mapping is working, log in through SSO and check your user Profile in Infrahub. You should see the groups assigned based on your identity provider's data.
Step 3: Configure default group assignment (optional)​
If your identity provider cannot provide group information, configure a default group for SSO users.
You must create this default group in Infrahub before configuring it here.
- environment-variables
- infrahub-toml
# Set the default group for SSO users
export INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP='default-group'
[security]
sso_user_default_group = "default-group"
Now that group mapping is configured, manage user permissions in Infrahub by assigning permissions and roles to these groups.
Auto-create groups from identity provider claims​
Infrahub can create local groups on demand from the claims your identity provider sends, so administrators do not have to mirror every provider group by hand. The feature is opt-in: it activates only when a regular-expression filter is configured.
How it works​
On every SSO login, each provider-supplied claim is matched against the configured filter. The first matching pattern derives an effective name — either from a (?P<name>...) named capture group or, when the pattern has no named capture, from the full matched claim. Infrahub then finds-or-creates a CoreAccountGroup with that name and adds the logging-in account as a member.
Auto-creation runs before the default-group fallback (step 3). If the filter matches at least one claim, the default group is not applied.
Configure the filter​
- environment-variables
- infrahub-toml
# Capture everything after `LDAP/group/` as the local group name
export INFRAHUB_SECURITY_AUTO_CREATE_GROUPS_FILTER='^LDAP/group/(?P<name>.+)$'
# Cap how many new groups one login may create (existing-group reuse is uncapped)
export INFRAHUB_SECURITY_AUTO_CREATE_GROUPS_MAX_PER_LOGIN=50
[security]
auto_create_groups_filter = "^LDAP/group/(?P<name>.+)$"
auto_create_groups_max_per_login = 50
With the example above, a claim LDAP/group/network-engineering produces a local group named network-engineering. A claim that does not match the filter is ignored.
Anchor your regex (^...$) and scope it tightly. A permissive pattern can create unintended groups on first login.
Per-login cap​
auto_create_groups_max_per_login bounds how many new groups a single login can create. Reuse of already-existing groups is uncapped. When the cap is hit, surplus claims that would have required a fresh creation are dropped — the login still completes. Each cap breach emits a GroupAutoCreateCappedEvent carrying the cap value and the verbatim dropped claims.
Provenance: the origin attribute​
Every auto-created CoreAccountGroup row stores the configured provider name (e.g., "AzureAD-corp") on its origin attribute. The value is written verbatim at creation time and is never overwritten on subsequent logins, so the audit trail of which IdP first provisioned a group is preserved.
origin is read-only and hidden from the default UI; toggle the Show extra attributes view to inspect it, or query it via the GraphQL API.
Audit events​
Three event types are emitted on the standard event bus — useful for compliance pipelines and operational dashboards:
GroupAutoCreatedEvent— a new group was created from a claimGroupAutoCreateRejectedEvent— a claim matched but produced an invalid effective name (empty, whitespace-only)GroupAutoCreateCappedEvent— the per-login cap was reached and surplus claims were dropped
See the group events reference for full payload shapes.