Using OIDC Authentication With AMP and Authentik

Knowledge Base How To
1

OIDC is a method to authenticate with multiple apps using a single sign on. AMP recently implemented OIDC and specifically was tested against Authentik for functionality. Other providers should work as well, but have not been verified at the time of the writing of this article.

There are guides on installing Authentik online that you can follow. This guide assumes you’ve got Authentik up and running with a basic understanding of some of the settings involved.

As of 2.6.1.4, you can only choose OIDC or Local login, not both. This will change in a future release. If you need to access through a local account to troubleshoot, you can adjust the Login.UseOIDC to False temporarily.

Authentik Configuration

  1. Create a group called AMP_Super Admins which contains all your administrators. The default prefix is AMP_ and the rest should match the Role Name from AMP. This is how AMP knows which groups the user should have when logging in.

    image
    image2559×819 136 KB

    image
    image2559×824 129 KB

  2. Add a new Provider. Note the Client ID and Client Secret for use in the AMPConfig.conf file in the steps further down.

    image
    image2559×1261 316 KB

  3. Create a new Application named how you’d like. Select the Provider from Step 2. Set the Launch URL to your AMP web panel URL. The rest of the settings can be adjusted as you’d like.

    image
    image2559×1249 268 KB

AMP Configuration

Eventually, we will expose the needed settings to the UI, but until it’s more widely tested the settings must be adjusted in the AMPConfig.conf file. This can be found in your datastore folder. This is typically /home/amp/.ampdata/instances/ADS01 or C:\AMPDatastore\instances\ADS01 for Windows.

Adjust the settings below to match what you have configured in Authentik. We highly recommend HTTPS for your production setup. Below is taken from the developers’ test system only as an example.

Login.UseOIDC=True
Login.OIDCProviderFriendlyName=Authentik
Login.OIDCClientID=enc:(encrypted string)
Login.OIDCClientSecret=enc:(encrypted string)
Login.OIDCRedirectUri=http://192.168.x.x:8080/
Login.OIDCAuthorizeEndpoint=https://192.168.x.x:9443/application/o/authorize/
Login.OIDCValidationEndpoint=https://192.168.x.x:9443/application/o/userinfo/
Login.OIDCTokenEndpoint=https://192.168.x.x:9443/application/o/token/
Login.OIDCUserInfoEndpoint=https://192.168.x.x:9443/application/o/userinfo/
Login.OIDCLogoutEndpoint=https://192.168.x.x:9443/application/o/amp-oidc-test/end-session/
Login.OIDCRevokeEndpoint=https://192.168.x.x:9443/application/o/amp-oidc-test/end-session/
Login.OIDCRoleNamePrefix=AMP_
Login.OIDCNewUsersDisabledAtCreation=False
Login.OIDCIgnoreTLSFailure=True

After changing the above settings, you must restart ADS.