Portainer Documentation
Official WebsiteKnowledge BasePricingGet 3 Nodes of BE Free
2.21 LTS
2.21 LTS
  • Welcome
  • What's new in version 2.21
  • Release Notes
  • Getting Started
    • Introduction
    • Portainer architecture
    • Lifecycle policy
    • Requirements and prerequisites
    • Install Portainer BE
      • Set up a new Portainer BE Server installation
        • Docker Standalone
          • Install Portainer BE with Docker on Linux
          • Install Portainer BE with Docker on WSL / Docker Desktop
          • Install Portainer BE with Docker on Windows Container Service
        • Docker Swarm
          • Install Portainer BE with Docker Swarm on Linux
          • Install Portainer BE with Docker Swarm on WSL / Docker Desktop
          • Install Portainer BE with Docker Swarm on Windows Container Service
        • Kubernetes
          • Install Portainer BE on your Kubernetes environment
          • Install Portainer BE with Kubernetes on WSL / Docker Desktop
        • Initial setup
    • Install Portainer CE
      • Set up a new Portainer CE Server installation
        • Docker Standalone
          • Install Portainer CE with Docker on Linux
          • Install Portainer CE with Docker on WSL / Docker Desktop
          • Install Portainer CE with Docker on Windows Container Service
        • Docker Swarm
          • Install Portainer CE with Docker Swarm on Linux
          • Install Portainer CE with Docker Swarm on WSL / Docker Desktop
          • Install Portainer CE with Docker Swarm on Windows Container Service
        • Kubernetes
          • Install Portainer CE on your Kubernetes environment
          • Install Portainer CE with Kubernetes on WSL / Docker Desktop
        • Initial setup
    • Add an environment to an existing installation
    • Updating Portainer
      • Updating on Docker Standalone
      • Updating on Docker Swarm
      • Updating on Kubernetes
      • Updating on Nomad
      • Updating the Edge Agent
      • Updating from Portainer 1.x
      • Switching to Portainer Business Edition
        • Upgrade to Business Edition from within Portainer Community Edition
        • Docker Standalone
        • Docker Swarm
        • Kubernetes
        • Upgrading Agent-only deployments
  • Using Portainer
    • Home
      • Snapshot browsing
      • OpenAMT
    • Docker/Swarm
      • Dashboard
      • Templates
        • Application
        • Custom templates
        • Deploy a stack
        • Deploy a container
      • Stacks
        • Add a new stack
        • Inspect or edit a stack
        • Create a template from a deployed stack
        • Webhooks
        • Migrate or duplicate a stack
        • Remove a stack
      • Services
        • Add a new service
        • Configure service options
        • Scale a service
        • View the status of a service task
        • View service logs
        • Roll back a service
        • Webhooks
      • Containers
        • Add a new container
        • View a container's details
        • Inspect a container
        • Edit or duplicate a container
        • Advanced container settings
        • Webhooks
        • Attach a volume to a container
        • View container logs
        • View container statistics
        • Access a container's console
        • Change container ownership
        • Remove a container
      • Images
        • Pull an image
        • Build a new image
        • Import an image
        • Export an image
      • Networks
        • Add a new network
        • Remove a network
      • Volumes
        • Add a new volume
        • Browse a volume
        • Remove a volume
      • Configs
        • Add a new config
        • Remove a config
      • Secrets
        • Add a new secret
        • Remove a secret
      • Events
      • Host
        • Details
        • Setup
        • Registries
      • Swarm
        • Details
        • Cluster visualizer
        • Setup
        • Registries
    • Kubernetes
      • Dashboard
      • kubectl shell
      • Kubeconfig
      • Custom Templates
        • Add a new custom template
        • Edit a custom template
        • Remove a custom template
      • Namespaces
        • Add a new namespace
        • Manage a namespace
        • Manage access to a namespace
        • Remove a namespace
      • Helm
      • Applications
        • Add a new application using a form
        • Add a new application using a manifest
        • Inspect an application
        • Inspect a Helm application
        • Edit an application
        • Webhooks
        • Detach a volume from an application
        • Remove an application
      • Networking
        • Services
        • Ingresses
          • Add an Ingress manually
          • Add an Ingress using a manifest
          • Remove an Ingress
      • ConfigMaps & Secrets
        • Add a ConfigMap
        • Add a Secret
      • Volumes
        • Inspect a volume
        • Remove a volume
      • More Resources
        • Service Accounts
        • Cluster Roles
        • Roles
      • Cluster
        • Details
        • Inspect a node
        • Setup
        • Security constraints
        • Registries
    • Azure ACI
      • Dashboard
      • Container instances
        • Add a new container
        • Remove a container
    • Nomad
    • Edge Compute
      • Edge Groups
      • Edge Stacks
        • Add a new Edge Stack
      • Edge Jobs
      • Edge Configurations
      • Waiting Room
      • Edge Templates
        • Application
        • Custom
    • Account settings
  • Administering Portainer
    • User-related
      • Users
      • Add a new user
      • Turn a user into an administrator
      • Reset a user's password
      • Teams
        • Add a new team
        • Add a user to a team
      • Roles
    • Environment-related
      • Environments
      • Add a new environment
        • Add a local environment
        • Add a Docker Standalone environment
          • Install Portainer Agent on Docker Standalone
          • Connect to the Docker API
          • Connect to the Docker Socket
          • Install Edge Agent Standard on Docker Standalone
          • Install Edge Agent Async on Docker Standalone
        • Add a Docker Swarm environment
          • Install Portainer Agent on Docker Swarm
          • Connect to the Docker API
          • Connect to the Docker Socket
          • Install Edge Agent Standard on Docker Swarm
          • Install Edge Agent Async on Docker Swarm
        • Add a Kubernetes environment
          • Install Portainer Agent on your Kubernetes environment
          • Install Edge Agent Standard on Kubernetes
          • Install Edge Agent Async on Kubernetes
          • Import an existing Kubernetes environment
        • Add an ACI environment
        • Add a Nomad environment
        • Provision KaaS Cluster
          • Civo
          • Akamai Connected Cloud
          • DigitalOcean
          • Google Cloud
          • AWS
          • Azure
        • Create a Kubernetes cluster
          • MicroK8s
            • Offline installation
        • Add an environment via the Portainer API
      • Auto onboarding
      • Groups
      • Tags
      • Manage access to environments
      • Manage access to environment groups
      • Update & Rollback
    • Registries
      • Add a new registry
        • Add a DockerHub account
        • Add an AWS ECR registry
        • Add a Quay.io registry
        • Add a ProGet registry
        • Add an Azure registry
        • Add a Gitlab registry
        • Add a GitHub registry
        • Add a custom registry
      • Browse a registry
      • Manage a registry
    • Licenses
    • Logs
      • Authentication
      • Activity
    • Notifications
    • Settings
      • General
      • Authentication
        • Authenticate via LDAP
        • Authenticate via Active Directory
        • Authenticate via OAuth
      • Shared credentials
        • Add Civo credentials
        • Add Akamai Connected Cloud credentials
        • Add DigitalOcean credentials
        • Add Google Cloud credentials
        • Add AWS credentials
        • Add Azure credentials
        • Add SSH credentials
      • Edge Compute
  • Frequently Asked Questions
    • Portainer Concepts
    • Installing
    • Upgrading
    • Troubleshooting
    • Contributing
  • Advanced Topics
    • CLI configuration options
    • App templates
      • Build and host your own app templates
      • App template JSON format
    • The Portainer Edge Agent
    • Access control
    • Reset the admin user's password
    • Security and compliance
    • Encrypting the Portainer database
    • Using your own SSL certificate with Portainer
    • Using mTLS with Portainer
    • Stream auth and activity logs to an external provider
    • Using Portainer with reverse proxies
      • Deploying Portainer behind Traefik Proxy
      • Deploying Portainer behind nginx reverse proxy
    • How Relative Path Support works in Portainer
    • Helm chart configuration options
    • Docker roles and permissions
    • Kubernetes roles and bindings
    • Deprecated and removed features
  • API
    • Accessing the Portainer API
    • API documentation
    • API usage examples
  • Get More Help
    • Knowledge Base
    • Portainer Academy
    • YouTube
    • GitHub
    • Slack
    • Discord
    • Open a support request
  • Contribute to Portainer
    • Contribute
    • Build instructions
      • Set up a macOS build environment
      • Set up a Linux build environment
Powered by GitBook
On this page
  • Configuring OAuth authentication in Portainer
  • OAuth providers
  • Microsoft
  • Google
  • Github
  • Custom
  • Giving environment access to OAuth teams and users

Was this helpful?

Edit on GitHub
  1. Administering Portainer
  2. Settings
  3. Authentication

Authenticate via OAuth

PreviousAuthenticate via Active DirectoryNextShared credentials

Last updated 9 months ago

Was this helpful?

Configuring OAuth authentication in Portainer

From the menu select Settings then select Authentication. Under the Authentication method section click OAuth.

In the next screen, enter the credentials provided by your OAuth provider, using the table below as a guide.

Field/Option
Overview

Use SSO

Enable SSO so that the OAuth provider won't be forced to ask for credentials when users are in a current logged-in session.

Hide internal authentication prompt

Automatic user provisioning

If you toggle Automatic team membership on, you can choose to automatically add OAuth users to certain Portainer teams based on the Claim name. Claim names will be matched with teams or you can manually link a claim name (using regex) with Portainer teams under the Statically assigned teams option. You can also define a Default team for users who don't belong to any other team.

In addition, you can enable the automatic assignment of admin rights to specified groups if desired.

OAuth providers

Portainer provides pre-configured OAuth provider options or you can set up your own custom OAuth provider. Each of the pre-configured providers can have their configuration overridden if you need to make changes to the Portainer defaults.

Microsoft

Configure your OAuth provider using the table below as a guide.

Field/Option
Overview

Tenant ID

Enter the ID of the Azure Directory you wish to authenticate against. This is also known as the Directory ID.

Application ID

Enter the public identifier of the OAuth application.

Application key

Enter the secret key for the OAuth application.

You can find these details using the following steps:

  1. Log in to your Azure Portal as an administrator.

  2. Click on Azure Active Directory and then click on Overview. Your Tenant ID can be found in the right pane. Use this as the Tenant ID in Portainer.

  3. Still in Azure Active Directory, click on App Registrations then click New registration.

    Enter a friendly name for the Portainer instance. Choose appropriate option for Supported account types, Choose Web type for Redirect URI and enter the FQDN or IP address that your Portainer instance listens on eg: https://portainer.example.com:9443. Then click Register.

  4. After creating the Registration, the screen below is displayed. Use the provided Application ID in the respective field in Portainer.

  5. Click on Certificates & secrets then click Client secrets, Click on New client secret. Add Description and choose Expiry date, then Click Add.

    The secret will then be generated for you. Use the Value as the Application key in the respective field in Portainer.

  6. Click on API Permissions and Add a permission. Select Microsoft Graph in the Request API permissions screen. Select Delegated permissions and add email, openid, profile permissions.

  7. Make sure you Grant admin consent for Directory.

  8. Optionally, to use Automatic Team Membership ability in Portainer, you need create groups claim. Click on Token Configuration and Add groups claim. Select Security Groups and click Add.

When you're finished, click Save settings.

Google

Configure your OAuth provider using the table below as a guide.

Field/Option
Overview

Client ID

Enter the public identifier of the OAuth application.

Client secret

Enter the secret key for the OAuth application.

When you're finished, click Save settings.

Github

Configure your OAuth provider using the table below as a guide.

Field/Option
Overview

Client ID

Enter the public identifier of the OAuth application.

Client secret

Enter the secret key for the OAuth application.

When you're finished, click Save settings.

Custom

Complete the OAuth Configuration section based on the table below.

Field/Option
Overview

Client ID

Enter the public identifier of the OAuth application.

Client secret

Enter the token access to the OAuth application.

Authorization URL

Enter the URL used to authenticate against the OAuth provider (will redirect users to the OAuth provider login screen).

Access token URL

Enter the URL used to exchange a valid OAuth authentication code for an access token.

Resource URL

Enter the URL used by Portainer to retrieve information about authenticated users.

Redirect URL

Enter the URL used by the OAuth provider to redirect users after they are successfully authenticated (also referred to as the callback URL). You should set this to your Portainer instance URL.

Logout URL

Enter the URL used by the OAuth provider to log users out.

User identifier

Enter the identifier that Portainer will use to create accounts for authenticated users. Retrieved from the resource server specified in the Resource URL field.

Scopes

Required by the OAuth provider to retrieve information about authenticated users. See your provider's own documentation for more information.

Auth Style

Specify how to send the client ID and client secret to the OAuth provider.

When you're finished, click Save settings.

Giving environment access to OAuth teams and users

Hide the ability to log in through internal authentication. Note that when external authentication is enabled, can log in with internal auth.

If toggled on, users who exist at the OAuth provider's end will automatically be created in Portainer (you can define a default team to put those users in while this option is on). If toggled off, you'll need to in Portainer manually.

When configuring Microsoft Entra ID (Azure AD) as the OAuth provider, you will need to for the claim value regex instead of the group name:

See .

use the group's Object Id value
Managing user access to environments
only the initial admin user
create users