Authentication

Configure user authentication methods for Code Ocean VPC

Overview

The Authentication configuration page allows administrators to configure user access control for the Code Ocean VPC instance. Code Ocean VPC supports three authentication methods that can be used independently or in combination to meet your organization's security requirements.

‌Built-in authentication

Built-in authentication uses username and password authentication and is enabled by default on new installations. Users can only register through admin-generated signup links, providing controlled access to the system. This method is recommended for organizations without existing identity providers or when providing access to external users outside the organization's domain.

SAML Single Sign-On (SAML SSO)

SAML SSO implements Security Assertion Markup Language 2.0 for authentication and supports Identity Provider (IdP) initiated SSO. This authentication method can be seamlessly integrated into organization portals to provide streamlined user access. SAML SSO is recommended for organizations that have SAML-compliant identity providers already in place.

OpenID Connect (OIDC)

OpenID Connect provides an OAuth 2.0-based identity layer that follows modern authentication standards built on the OAuth 2.0 authorization framework. This method offers compatibility with contemporary identity providers and is recommended for organizations that utilize OAuth 2.0-based identity systems.

Security Considerations

Security Best Practice: When configuring external identity providers (SAML or OIDC), consider disabling built-in authentication to enforce centralized identity management through your organization's identity provider.

Hybrid Configuration: Built-in authentication can remain enabled alongside external identity providers (SAML or OIDC) to accommodate users outside your organization's domain.

Configuration Procedures

Configuring SAML SSO

Step 1: Select Authentication Method

  1. Navigate to the Admin Panel

  2. Select Authentication from the navigation menu

  3. Select SAML SSO to open the configuration form

Step 2: (Optional) Enable built-in authentication

Determine whether to maintain built-in authentication alongside SAML SSO:

  • Disable built-in authentication: Enforces exclusive use of SAML SSO (recommended for security)

  • Enable built-in authentication: Allows both SAML and username/password authentication

Step 3: Configure your Identity Provider

Use the provided Assertion Consumer Service (ACS) URL and Entity ID to configure your SAML identity provider.

Step 4: Configure Identity Provider Settings

Obtain the following information from your SAML identity provider and enter it in the Code Ocean configuration:

  • Single Sign-on URL: The SAML SSO endpoint from your identity provider

  • Entity ID: Your identity provider's entity identifier

  • X.509 Certificate: The signing certificate from your identity provider

Enable Configuration

  1. Review all configuration settings

  2. Click Enable to activate SAML SSO authentication

Configuring OpenID Connect (OIDC)

Step 1: Select Authentication Method

  1. Navigate to the Admin Panel

  2. Select Authentication from the navigation menu

  3. Select OpenID Connect (OIDC) to open the configuration form

  4. Select between Google or other OIDC Provider (e.g. Okta)

Step 2: (Optional) Enable built-in authentication

Determine whether to maintain built-in authentication alongside OIDC:

  • Disable built-in authentication: Enforces exclusive use of OIDC (recommended for security)

  • Enable built-in authentication: Allows both OIDC and username/password authentication

Step 3: Configure your Identity Provider

Use the provided Authorized JavaScript Origins URL and Authorized Redirect URIs to configure your OIDC identity provider.

Step 4: Configure Identity Provider Settings

Obtain the following OAuth2 client information from your OIDC identity provider and enter it in the Code Ocean configuration:

  • Client ID

  • Client Secret

If you selected other OIDC Provider in Step 1, please also provide the following:

  • Issuer (e.g. your Okta domain URL)

  • Scopes (e.g. "openid email profile")

Enable Configuration

  1. Review all configuration settings

  2. Click Enable to activate OIDC authentication

Managing Authentication Methods

Switching Authentication Methods

To change the active authentication method:

  1. Navigate to the Authentication configuration page

  2. Select the desired authentication method

  3. If the method is already configured, review the settings (sensitive values like Client Secret will be masked)

  4. Click Enable to activate the selected method

Reverting to Built-in Authentication

To disable external authentication and return to built-in authentication only:

Warning: This operation will clear all external authentication configurations and cannot be undone.

  1. Select Built-in authentication in Step 1

  2. Confirm the operation

PreviousManagement GuideNextUser Licenses Guide

Last updated

Was this helpful?