Authentication

Instabase supports a variety of user authentication methods including basic authentication, SAML-based single sign-on, and LDAP-based single sign-on. API authentication methods include AD FS integration and OAuth2.

Table of Contents

Basic authentication

Instabase natively supports basic user authentication. Basic authentication is defined as registering and logging in with a username or email address and password.

When using basic authentication in your deployment, you can optionally enforce multi-factor authentication (MFA), using either SMS messages (texts) or an authenticator app as the secondary authentication method.

Info

For SMS-based MFA, authentication codes are sent by SMS message using Twilio. Some countries restrict receiving SMS messages from Twilio. For authenticator app-based MFA, users must download and utilize an authenticator app such as Authy, Duo Mobile, Okta Verify, Google Authenticator, or Microsoft Authenticator.

For details on adding and managing users, see the user management documentation. For details on configuring MFA, see the site settings documentation.

SAML authentication

Instabase supports security assertion markup language (SAML)-based authentication to manage access to your Instabase deployment. Using SAML-based single sign-on (SSO) lets you leverage your existing SSO identity provider (IdP) to automatically create new user accounts on the Instabase platform upon initial login. You can also optionally map existing groups configured in your IdP to groups in your Instabase deployment.

Instabase uses service provider (SP)-initiated SSO authentication and supports IdPs that use SAML 2.0.

You can configure SAML authentication during installation or after installation. You can update your SAML connection at any time.

IdP configuration requirements

The SSO integration flow begins with registering Instabase as a service provider in your IdP. The app registration must include specific information and attributes (also called claims), outlined below. In addition, to complete your SAML configuration you must provide the IdP metadata XML, either as a file or as a link to where the XML is hosted.

Note

The term app registration is used here to refer to registering Instabase as a service provider in your IdP. The same concept can have a different name in your IdP, such as a relying party trust (AD FS), an application (Auth0), an enterprise application (Microsoft Entra ID), an app integration (Okta), or an SP connection (PingFederate).

App registration requirements

This table outlines suggested or required values to use when defining your app registration in your IdP. For reference, this table also provides the name of the corresponding field in select IdPs. The accuracy of the Corresponding IdP field column is not guaranteed, as Instabase doesn’t closely monitor changes to external product UIs.

Field	Description	Value	Corresponding IdP field
SP entity ID	A unique identifier, also called the entity ID.	The suggested value is your Instabase deployment URL. For example `https://dev.instabase.com`. Note If using Auth0 as your IdP, the SP entity ID value in Instabase corresponds to the `audience` attribute in the SAML assertion. By default the `audience` value is the same as the Auth0 `issuer`. You must edit the `audience` value to match your Instabase deployment URL (or whatever value you’re using as the SP entity ID). See the Auth0 customize SAML assertions documentation for additional information.	The SP entity ID value is set in the following IdP fields: - AD FS: Relying Party Trust Identifier - Auth0: The `audience` attribute within the SAML assertion - Entra ID: Identifier (Entity ID) - Okta: Audience URI (SP Entity ID)/Audience Restriction - PingFederate: Partner’s Entity ID (Connection ID)
SP name	A label associated with the service provider, also called the entity label.	The suggested value is `InstabaseSP`, though any alphanumeric value is supported.	The SP name is set in the following IdP fields: - AD FS: Display name - Auth0: Name (Application name) - Entra ID: Application name - Okta: Application label - PingFederate: Connection name
Assertion consumer service (ACS) URL	The URL where the IdP redirects after the user successfully authenticates.	The required value is https://{Your Instabase deployment URL}/account/sso/saml2. For example, `https://dev.instabase.com/account/sso/saml2`.	The ACS URL value is set in the following IdP fields: - AD FS: Relying Party SAML 2.0 SSO service URL - Auth0: Application Callback URL - Entra ID: Reply URL (Assertion Consumer Service URL) - Okta: Single Sign On URL - PingFederate: Assertion Consumer Service URL

Attribute requirements

Your app registration must include the following attributes (also called claims), with the attribute’s name exactly matching the name written in the table below. For example, the attribute email cannot be substituted with a similar attribute, such as emailAddress.

You can also optionally use a groups attribute to map external groups in your IdP to Instabase groups. This mapping lets you leverage externally defined groups managed by the external IdP to manage account creation and group membership in Instabase. Upon user login, the user’s groups are sent as part of the redirect request back to Instabase, and the Instabase groups are synced accordingly. See the external group mappings documentation for additional information.

Note

When configuring claims in Entra ID, do not define a Namespace value for the claim.

Attribute name	Description	Sample valid values	Notes
email	(Required) A unique email address that maps to the user’s corporate email address. Note The `email` and `uid` combination must be unique among all users.	jane.doe@corporation.com, john_doe@corporation.ca	If a user’s email address changes, their Instabase account from the previous account must be manually migrated to the new address.
uid	(Required) A unique user ID (UID) that maps to the user’s corporate username. The `uid` value becomes the user’s Instabase username. Note The `email` and `uid` combination must be unique among all users.	jane.doe, john_doe	UIDs are case-sensitive and can only include alphanumeric values, periods, hyphens, and underscores. @ and # symbols are not supported.
groups	(Optional) A group ID defined in the IdP.	The group ID as defined in the IdP.	Each Instabase group can map to, at most, one IdP-defined group. However, the inverse is not true: the same IdP-defined group can be mapped to multiple Instabase groups. If a user is removed from a given group on the IdP end, upon next Instabase login that change of status is synced and the user is removed from the corresponding Instabase group.

IdP metadata XML requirements

Instabase supports two methods of referencing the IdP metadata XML:

Local: Referencing a static metadata.xml file that is stored as a Kubernetes secret in the deployment.
Remote: Referencing a metadata-server endpoint where the XML file is hosted on the SAML provider metadata server.

This table outlines where you can find the local or remote access value in select IdPs. The accuracy of this table is not guaranteed as Instabase doesn’t closely monitor changes to external products’ UI.

Identity provider	Local access value	Remote access value
AD FS	Download the federation metadata as an XML file from the federation metadata URL. This is typically found at AD FS > Service > Endpoints > Metadata URL path. For example: {Your host name}/FederationMetadata/2007-06/FederationMetadata.xml.
Auth0	Download the Identity Provider metadata file. (Available on the application details page under Addons > SAML 2 Web App > Usage.)	Share the SAML metadata URL link. (Available on the application details page under Advanced Settings > Endpoints.)
Entra ID	Download the Federation metadata XML file. (Available on the application’s Single sign-on page.)	Share the App Federation Metadata Url link. (Available on the application’s Single sign-on page.)
Okta	Download the Identity Provider metadata file. (Available on the application details page under Sign on > Settings.)	Share the Identity Provider metadata link. (Available on the application details page under Sign on > Settings.)
PingFederate	Download the metadata as an Identity Provider from the Metadata Export tab.

See a metadata.xml file example

The following is a sample metadata.xml file from Okta, edited for brevity and provided for reference.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/abc123ABC123">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIID... ...D4a8wA==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://instabase.oktapreview.com/app/instabasedev123456_pysaml2example_1/abc123ABC123/sso/saml"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://instabase.oktapreview.com/app/instabasedev123456_pysaml2example_1/abc123ABC123/sso/saml"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Configure a SAML connection during installation

To configure a SAML connection during installation, you can either use the SAML configuration UI in the Instabase Installer or use the Installer SAML APIs.

For UI-based configuration, follow the instructions in the Instabase Installer guide.

For API-based configuration, follow the instructions in the Installer API documentation. Specifically, call the following APIs:

Create SAML configuration: Creates the SAML configuration.
(Optional) Upload IdP metadata XML: Uploads the IdP metadata XML file, if using local metadata access.
Complete SAML configuration: Completes the SAML configuration connection.

Note

Only call the complete SAML configuration API after installation is complete.

Info

To clear a configuration that has been posted but not completed, you can call the clear SAML configuration API. This API clears your most recently posted, but not completed, SAML configuration. It doesn’t delete any existing, completed connections.

Configure a SAML connection after installation

To configure a SAML connection after installation, use the Installer SAML APIs, following the instructions in the Installer API documentation. Specifically, call the following APIs:

Create SAML configuration: Creates the SAML configuration.
(Optional) Upload IdP metadata XML: Uploads the IdP metadata XML file, if using local metadata access.
Complete SAML configuration: Completes the SAML configuration connection.

Info

Update a SAML connection configuration

To update an existing SAML connection configuration, use the Installer SAML APIs, following the instructions in the Installer API documentation. Specifically, call the following APIs:

Create SAML configuration: Creates the SAML configuration.
(Optional) Upload IdP metadata XML: Uploads the IdP metadata XML file, if using local metadata access.
Complete SAML configuration: Completes the SAML configuration connection.

Info

Legacy SAML connection configuration

The preferred way to configure a SAML connection is to use the Installer SAML APIs or the Instabase Installer SAML configuration UI. The legacy method of applying Deployment Manager patches yourself is, however, still supported.

Click to expand the legacy SAML connection configuration documentation.

Configure Instabase for SAML user creation

After the prerequisites are set up, specify the parameters in Deployment Manager patches during installation.

The following configuration parameters are required:

AUTH_TYPE: Set the authentication type as saml.
SAML_SP_ENTITY_ID: The entity ID configured in your app registration, such as <your Instabase URL>.
SAML_SP_NAME: The label associated with the Instabase entity in your app registration, such as InstabaseSP.
SAML_REQUIRED_ATTRIBUTES: The required email, uid attributes provided to Instabase.
SAML_HTTP_ACS_URL: The URL where the SAML provider redirects after the user successfully authenticates. For example https://<your Instabase URL>/account/sso/saml2.
SAML_HTTPS_ACS_URL: The URL where SAML provider redirects after the user successfully authenticates. For example, http://<your Instabase URL>/account/sso/saml2.
AUTH_PROVIDER: How SAML metadata is provided.
- local - provide a local file path to the metadata.xml file mounted to webapp in the Instabase deployment
- remote - provide a URL to the metadata.xml file hosted by the SAML provider metadata server

The following environment variables are optional and rarely need to be changed from their default settings. For reference and possible troubleshooting, the default values are noted.

SAML_ALLOW_UNSOLICITED: For SP instances, if set to true, the SP will consume unsolicited SAML responses for which it has not sent a respective SAML authentication request. Default value is True.
SAML_AUTHN_REQUESTS_SIGNED: For SP instances, this is a boolean flag to indicate if the authentication requests sent by this SP should be signed by default. Default value is False.
SAML_LOGOUT_REQUESTS_SIGNED: Indicates if this entity will sign the logout requests originated from it. Default value is True.
SAML_WANT_ASSERTIONS_SIGNED: Boolean flag that indicates that the assertions contained within the response that is sent to this SP must be signed. Default value is True.
SAML_WANT_RESPONSE_SIGNED: Boolean flag that indicates that the authentication response to this SP must be signed. Default value is False.

For example, the following two patches, when applied in Deployment Manager, enable SAML:

In webapp:

apiVersion: apps/v1
kind: Deployment
spec:
 template:
   spec:
     containers:
       - name: webapp
         env:
           - name: AUTH_PROVIDER
             value: "remote"
           - name: AUTH_PROVIDER_URI
             value: "https://saml.ib.com/app/sso/saml/metadata"
           - name: AUTH_TYPE
             value: "saml"
           - name: SAML_REQUIRED_ATTRIBUTES
             value: "email"
           - name: SAML_OPTIONAL_ATTRIBUTES
             value: "groups,uid"
           - name: SAML_GROUPS_DELIMITER
             value: ""
           - name: SAML_SP_ENTITY_ID
             value: "http://instabase-dev.ib.com/account/sso/saml2"
           - name: SAML_SP_NAME
             value: "Instabase SP"
           - name: SAML_HTTP_ACS_URL
             value: "https://instabase-dev.ib.com/account/sso/saml2"
           - name: SAML_HTTPS_ACS_URL
             value: "http://instabase-dev.ib.com/account/sso/saml2"
           - name: SAML_ALLOW_UNSOLICITED
             value: "True"
           - name: SAML_AUTHN_REQUESTS_SIGNED
             value: "False"
           - name: SAML_LOGOUT_REQUESTS_SIGNED
             value: "True"
           - name: SAML_WANT_ASSERTIONS_SIGNED
             value: "True"
           - name: SAML_WANT_RESPONSE_SIGNED
             value: "False"

And in api-server:

apiVersion: apps/v1
kind: Deployment
spec:
 template:
   spec:
     containers:
       - name: api-server
         env:
           - name: AUTH_TYPE
             value: "saml"

Remote provider authentication

If AUTH_PROVIDER is remote, configure the Instabase servers to read the data from the provided URI.

Set the following environment variables in the patch:

         - name: AUTH_PROVIDER
           value: "remote"
         - name: AUTH_PROVIDER_URI
           value: "<the metadata-server URI>"

Local provider authentication

If AUTH_PROVIDER is local, configure Instabase to read the data from a metadata.xml file. The metadata.xml file is stored as a Kubernetes secret.

To configure the Instabase installation to read the data from the secret:

Create the secret with the following parameters:
- name: saml-metadata
- namespace: The namespace where Instabase is running
- file: metadata.xml
The command to create the secret for Kubernetes is:
```
kubectl create secret generic saml-metadata --from-file=./metadata.xml --namespace namespace
```

After the secrets are set up, set the values of the following environment variables in the patch to pick up the secrets file:

         - name: AUTH_PROVIDER
           value: "local"
         - name: AUTH_PROVIDER_URI
           value: "/etc/secrets/saml/metadata.xml"

LDAP authentication

Instabase supports Lightweight Directory Access Protocol (LDAP) as an authentication backend to manage access to Instabase. Use LDAP for single sign-on (SSO) to automatically allow new users to create accounts on the Instabase platform on initial login. Instabase does not support mapping of external LDAP groups into Instabase groups.

Configure environment variables

LDAP is configured on Instabase using environment variables on the webapp deployment.

Set the environment variables in the webapp.yml file in your deployment.
Restart the account-tservice service. The webapp service automatically restarts.
To acknowledge the change, log out and log back in to Instabase using your LDAP email and password.

LDAP environment variables

AUTH_TYPE

Set to LDAP.
```
- name: AUTH_TYPE
  value: "ldap"
```
LDAP_SERVER

Default: 127.0.0.1. The URL or the IP address of the LDAP server.
```
- name: LDAP_SERVER
  value: "<ldap_server_ip>"
```
LDAP_PORT

Default: 636. The port that provides LDAP connectivity to the LDAP_SERVER.
```
- name: LDAP_SERVER
  value: "<ldap_server_port>"
```
LDAP_PROTOCOL_VERSION

Default: v3. The LDAP protocol version that is used for authentication.
```
- name: LDAP_PROTOCOL_VERSION
  value: "v3"
```
LDAP_TIMEOUT

Default: 30. The number of seconds for the timeout for making LDAP queries.
```
- name: LDAP_TIMEOUT
  value: "<ldap_query_timeout_secs>"
```
LDAP_BASE_DN

Default: none. A comma-separated sequence of relative Distinguished Names (DN) that define the path to the LDAP directory where the users for authentication are configured. For example, ‘ou=instabase,ou=apps,dc=example,dc=org'.
```
- name: LDAP_BASE_DN
  value: "<ldap_base_dn>"
```
LDAP_ENABLE_TLS
- True - Enable TLS for connecting to LDAP server.
- False - Default. Do not enable TLS connection.
```
- name: LDAP_ENABLE_TLS
  value: "true"
```
LDAP_IGNORE_TLS_CERT_VALIDATION
- True - Ignore TLS client certificate validation.
- False - Default. Respect TLS client certificate validation.
```
- name: LDAP_IGNORE_TLS_CERT_VALIDATION
value: "<use_tls_cert>"
```
LDAP_CACERT_FILE

Default: none. Path name of file that contains all trusted CA certificates that perform client side verification. Set to “/etc/secrets/ldap/cacerts” to use a pre-generated certificate.
```
- name: LDAP_CACERT_FILE
  value: "<ldap_cacert>"
```
LDAP_TRACE_LEVEL

Default: 0. Sets the trace logging level provided by LDAP used to specify the amount of information being logged, used for debugging purposes. Accepted values are:
- 0: No logging, default value.
- 1: Only logging the method calls with arguments. Note that the arguments might include sensitive information.
- 2: Logging the method calls with arguments and the complete results.
- 9: In addition to method calls with arguments and complete results, includes logging the traceback of method calls.
Warning

Setting a non-zero value for this configuration can lead to logging of sensitive information such as passwords. This should be used only in development environments for debugging purposes. In addition, to enable a non-zero LDAP_TRACE_LEVEL, the LOG_LEVEL must also be set to DEBUG. If it is not, no LDAP trace level logs are emitted for security reasons.
```
- name: LDAP_TRACE_LEVEL
  value: "<ldap_trace_level>"
```
LDAP_USER_SEARCH_FILTER

Default: none. The search filter that is used to look up an LDAP user in the LDAP base directory name (DN). Corresponds to the user name that the user enters for logging into Instabase.
```
- name: LDAP_USER_SEARCH_FILTER
  value: "<ldap_user_search_filter>"
```
LDAP_USER_ATTRIBUTE

Default: none. LDAP attribute that determines the email address of the user for storing within Instabase. When a user logs in successfully, this value is updated in the Instabase database. For a search filter that leads to following search result, set to 'registeredAddress' like this example:
```
[('cn=user123,dc=ldap,dc=example,dc=org',{'registeredAddress': ['user123@instabase.com']})]
```
```
- name: LDAP_USER_ATTRIBUTE
  value: "<ldap_user_attribute_for_email>"
```
LDAP_DELIMITER

Default: "<>". Allow LDAP authentication to be performed against multiple nodes/directory in the LDAP tree. Set this param to define a delimiter input value for the following environment variables:
- LDAP_BASE_DN: 'ou=users,o=ABC_Company<>ou=api,ou=apps,o=ABC_Company'
- LDAP_USER_SEARCH_FILTER: '(&(objectclass=abcPerson)(cn={}))<>(&(objectclass=abcPerson)(cn={}))'
- LDAP_USER_ATTRIBUTE: 'mail<>mail'

AD FS authentication

Instabase supports Active Directory Federation Services (AD FS) as an authentication backend to manage access to Instabase. AD FS can be used to authenticate inbound API calls to the Instabase platform for existing users—if the user does not already exist on Instabase, the API call will be denied.

Note

This documentation describes the process of configuring Instabase to use AD FS servers as a means of authentication. This documentation will not help in setting up the AD FS server itself. Furthermore, this documentation is useful only to organizations that have specifically deployed AD FS into their environment, not for users who are using Microsoft Entra ID.

Prerequisites

Site admin privileges
A standing and accessible AD FS server
The access token returned by AD FS should contain the following information:
- An audience claim
  - The value of this claim is used by Instabase to verify that a given access token is intended for Instabase.
  - The default field name of this claim is aud but your organization can use a different name. Instabase can be configured to use whichever claim field name your organization chooses to use.
- A uid claim
  - The value of this claim is used by Instabase to identify which user initiated the API call. It must exactly match the username of the user initiating the API call. If your organization is using SAML (SSO), then this value must match the value of uid in the SAML response. See SAML authentication for more information.
  - The field name of this claim is determined by your organization. Instabase can be configured to use whichever claim name your organization chooses to use.

Configure Instabase for AD FS authentication

Go to Admin App > Site Settings > Configuration.
Scroll down to Active Directory Federation Services Configuration.
Under Authentication Server URI, provide the URI at which your AD FS server can be reached.
Under Audience Expected Value, provide the value of the audience claim Instabase can expect to find when inspecting AD FS access tokens.
- For security reasons, this value should be specific to the Instabase environment.
- Example value: https://instabase-dev.com or https://instabase-uat.com.
Optionally, under Audience Field Name, provide the name of the claim field name that will correspond to the audience value provided above. If this is left blank, the default value of aud will be used.
Under UID Field Name, provide the field name of the claim that will correspond to the UID, or username of the user making the API call.

Example

Let the following be a payload of an access token returned by an AD FS server found at https://sample-server.instabase.com:

{
  "aud": "https://instabase-sample.com",
  "primarysid": "A7654321",
  ...
}

The correct corresponding configuration will look like the following:

Calling an Instabase API with an AD FS access token

Retrieve an access token from the AD FS server
Add the access token as a Bearer Token to the Authorization field in the headers of the API call:
```
{
    "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJ..."
}
```
To tell Instabase to use the provided Bearer Token as an access token, add the following to the headers of the API call:
```
{
    "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJ...",
    "ADFS-Authentication": "true"
}
```