External Authentication

CloudShark allows users to authenticate against the local database or against a Single Sign-On SAML 2.0 provider.Google, and Okta can also be used to authenticate users using OAuth.

CloudShark maintains group membership locally or accesses group membership information using the same network directory information services. Local and external users modes may exist simultaneously, allowing a single CloudShark system to include both local and external users.

If you are using a SAML 2.0 Single Sign-On server, follow the instructions in the Single Sign-On Authentication article.

If you are using OAuth with Google, or Okta use the instructions in the OAuth Authentication article. 

Users

When external authentication is enabled, CloudShark will create an account for each user the first time they log in. To change this default behavior visit the Authentication page of the Administration menu and uncheck the Create accounts on first-login checkbox. When this is disabled all user accounts must be provisioned first by a CloudShark administrator before the external user is able to login.

When an account is created using external authentication the Default User Settings will be used to create the user. Visit the CloudShark Users page for more information on setting up Default User Settings.

Groups

CloudShark can map external authentication groups to local CloudShark groups, automatically granting appropriate permissions to users based on their external group membership. Here is how setup an external group and map it to a local CloudShark group::

  • Create or edit a local CloudShark group
  • Add one or more external group names to the group’s External Groups list
  • Any user who belongs to those external groups will automatically become a member of the local CloudShark group

Example

Consider two external groups defined by your existing authentication server:

  • cloudshark-admins: For users needing administrative access
  • cloudshark-users: For users needing basic access

To grant administrative access:

  • Edit the built-in Admin group in CloudShark
  • Add cloudshark-admins to its External Groups list
  • External users in the cloudshark-admins group automatically gain administrative privileges

To grant basic access:

  • Create a new local group called Users
  • Add cloudshark-users to its External Groups list
  • External users in the cloudshark-users group automatically gain basic privileges

Group membership can be managed either through your external authentication system or by CloudShark administrators through the local groups interface.