From f2199f1712e227b53716ecf6f7a02707214a58db Mon Sep 17 00:00:00 2001 From: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> Date: Wed, 27 Mar 2024 15:49:11 +0100 Subject: [PATCH] website/integrations: add documentation for OIDC setup with Xen Orchestra (#9000) * website/integrations: add documentation for OIDC setup with Xen Orchestra * Dot removed Co-authored-by: Tana M Berry Signed-off-by: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> * Dot added Co-authored-by: Tana M Berry Signed-off-by: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> * Update website/integrations/services/xen-orchestra/index.md Co-authored-by: Tana M Berry Signed-off-by: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> * Update website/integrations/services/xen-orchestra/index.md Co-authored-by: Tana M Berry Signed-off-by: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> * Update website/integrations/services/xen-orchestra/index.md Co-authored-by: Tana M Berry Signed-off-by: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> * Update website/integrations/services/xen-orchestra/index.md Co-authored-by: Tana M Berry Signed-off-by: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> * Update website/integrations/services/xen-orchestra/index.md Co-authored-by: Tana M Berry Signed-off-by: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> * moved XO-configuration-values into a list instead of having numerous steps * remove config params, that are retrieved by Auto-discovery URl anyways * add information about user mapping using the e-mail-address * changed note since auto-user-creation is implemented in the XO OIDC plugin * fix typos Signed-off-by: Jens Langhammer --------- Signed-off-by: pgumpoldsberger <60177408+pgumpoldsberger@users.noreply.github.com> Signed-off-by: Jens Langhammer Co-authored-by: Tana M Berry Co-authored-by: Jens Langhammer --- .../services/xen-orchestra/index.md | 69 +++++++++++++++++++ website/sidebarsIntegrations.js | 1 + 2 files changed, 70 insertions(+) create mode 100644 website/integrations/services/xen-orchestra/index.md diff --git a/website/integrations/services/xen-orchestra/index.md b/website/integrations/services/xen-orchestra/index.md new file mode 100644 index 0000000000..a248ed6cf4 --- /dev/null +++ b/website/integrations/services/xen-orchestra/index.md @@ -0,0 +1,69 @@ +--- +title: Xen Orchestra +--- + +Support level: Community + +## What is Xen Orchestra + +> Xen Orchestra provides a user friendly web interface for every Xen based hypervisor (XenServer, xcp-ng, etc.). +> +> -- https://xen-orchestra.com/ + +:::note +Xen Orchestra offers authentication plugins for OpenID Connect, SAML and LDAP. This guide is using the OpenID Connect plugin. +If you are using the Xen Orchestra Appliance, the OIDC Plugin should be present. If you are using Xen Orchestra compiled from sources, make sure the plugin `auth-oidc` is installed. +::: + +## Preparation + +The following placeholders will be used: + +- `xenorchestra.company` is the FQDN of the Xen Orchestra instance. +- `authentik.company` is the FQDN of the authentik install. + +## authentik configuration + +### 1. Provider + +Under _Providers_, create an OAuth2/OpenID provider with these settings: + +- Name: Provider for XenOrchestra +- Authorization Flow: Select one of the available Flows. +- Client type: Confidential +- Redirect URIs/Origins: `https://xenorchestra.company/signin/oidc/callback` + +Take note of the Client ID and the Client Secret, because we need them for the configuration of Xen Orchestra. + +### 2. Application + +Create an application with the following details: + +- Slug: `xenorchestra` (If you want to choose a different slug, your URLs for the Xen Orchestra Configuration may vary.) +- Provider: Select the one we have created in Step 1 +- Set the Launch URL to `https://xenorchestra.company/` + +Optionally apply access restrictions to the application. + +## Xen Orchestra configuration + +Xen Orchestra allows the configuration of the OpenID Connect authentication in the plugin-section. +All of the URLs mentioned below can be copied & pasted from authentik (_Applications -> Providers -> *the provider created earlier*_). + +1. Navigate to Settings -> Plugins +2. Scroll to **auth-oidc** and click on the **+** icon on the right hand side. +3. Configure the auth-oidc plugin with the following configuration values: + +- Set the `Auto-discovery URL` to `https://authentik.company/application/o/xenorchestra/.well-known/openid-configuration`. +- Set the `Client identifier (key)` to the Client ID from your notes. +- Set the `Client secret` to the Client Secret from your notes. +- Check the `Fill information (optional)`-Checkbox to open the advanced menu. +- Set the `Username field` to `username` +- Set the `Scopes` to `openid profile email` + +4. Enable the `auth-oidc`-Plugin by toggling the switch above the configuration. +5. You should be able to login with OIDC. + +:::note +The first time a user signs in, Xen Orchesta will create a new user with the same username used in authentik. If you want to map the users by their e-mail-address instead of their username, you have to set the `Username field` to `email` in the Xen Orchestra plugin configuration. +::: diff --git a/website/sidebarsIntegrations.js b/website/sidebarsIntegrations.js index a7b3396880..8f836d3195 100644 --- a/website/sidebarsIntegrations.js +++ b/website/sidebarsIntegrations.js @@ -63,6 +63,7 @@ module.exports = { "services/portainer/index", "services/proxmox-ve/index", "services/rancher/index", + "services/xen-orchestra/index", "services/vmware-vcenter/index", ], },