You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The hub can be configured to allow users to sign in by authenticating against an external OIDC provider such as Azure Entra.
4
+
5
+
## Configure an OIDC provider
6
+
7
+
You can add the configuration for a new OIDC provider under Settings > Security > OpenID Connect (OIDC).
8
+
9
+
You will need to provide:
10
+
-**Provider Name** for display on the sign in screen
11
+
-**Authority URL** e.g. `https://login.microsoftonline.com/<your tenant id>`
12
+
-**Client ID**
13
+
-**Client Secret**
14
+
-**OpenID Scopes**, at a minimum `openid`
15
+
-**Response Type**: `code`
16
+
-**Response Mode**: `form_post`
17
+
18
+
## Signing In
19
+
20
+
Once an OIDC provider is configured, any user can try to sign in using that provider. A stub account will then be created within the system with no roles assigned. The administrator can then assign hub roles to that account. When the user signs back in they will have the assigned roles and feature access.
Copy file name to clipboardExpand all lines: docs/hub/index.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,6 +16,7 @@ The product is available to try out as an beta version (e.g. not the finished pr
16
16
-**Self-hosted, cross-platform including Linux, macOS or Windows.**
17
17
- Optionally manage thousands of certs across hundreds of existing *Certify Certificate Manager* instances, or renew centrally, from a "single pane of glass" UI.
18
18
- Multi-user role based access security for administration and consuming certificates, with support for app/service security principles and individual scoped API access
19
+
- Optional single sign on with [OIDC support](./guides/oidc.md) via providers such as Azure Entra.
19
20
- Distribute certs using optional installed agents, deployment tasks, or use the API to pull the latest cert using your own integrations.
20
21
- Optional centralized DNS challenges compatible with most popular ACME clients, so that privileged DNS credentials do not need to be stored across individual ACME clients.
21
22
- Optional integrated visibility of renewal status for third party ACME clients such as win-acme, Certbot and acme.sh
Copy file name to clipboardExpand all lines: docs/hub/known-issues.md
+4-6Lines changed: 4 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,14 +15,11 @@ The UI needs to know the URL of the API it should talk to. This is configured by
15
15
16
16
If the problem occurs with a new docker container, follow the above and set the url to the require host and port e.g. `http://localhost:8080`
17
17
18
-
#### Refreshing a page returns a blank page
19
-
If using the combined hub service container image or serving the UI via the same service as the API, some app UI routing does not work (e.,g. reloading or bookmarking in-app URL routes).
18
+
#### Data caching in the UI
19
+
Normally, when the system changes managed certificate or updates it status the change should be streamed back to the UI via SignalR. This streaming functionality is currently a work in progress and most items now update automatically.
20
20
21
21
Pages that show data that might change will generally update themselves periodically (summary page, instances, charts etc) or in some cases when the underlying data changes and a message from the hub is streamed back the the UI. In some cases you may need to reload the app from the app root URL to see the latest information while the app is still under development.
22
22
23
-
#### When managed certificates change, the info doesn't update in the UI
24
-
Normally, when the system changes managed certificate or updates it status the change should be streamed back to the UI via SignalR. This streaming functionality is currently a work in progress and most items now update automatically.
25
-
26
23
#### Loading time over slow connections
27
24
The web app uses WebAssembly (WASM) and has a large application payload on initial load. Subsequent loads used cached resources.
28
25
@@ -34,4 +31,5 @@ Multiple instances of the Certify Agent or Management Hub service reading and wr
34
31
35
32
Note: We do not provide general support for how to use different container technology and you will likely need to know more about your choice of container deployment technology than we do, if you are using containers at all. Certify Management Hub is our first product that supports deployment to containers, so we expect growing pains.
36
33
37
-
34
+
### Windows Specific Tasks
35
+
If you will be commonly running PowerShell etc and interacting with Windows Server using Windows AAuthentication you should host the Management Hub on a Windows Server install. The hub *can* be used in containers (or hosted directly on Linux) but with reduced compatibility for Windows specific things like Windows Impersonation credentials.
0 commit comments