# Authentication ## Overview On the Authentication page, user access is set up to the server. Three types of authentication are supported:‌ 1. Built-in authentication (username + password) 2. SAML SSO 3. Google OpenID Connect (OIDC) / Google OAuth2 ### ‌Built-in authentication Built-in authentication is enabled by default.‌ In this configuration, a new user can only sign up to the VPC via the signup links provided by the admins. This allows admin control over who can sign up to the Code Ocean VPC.‌ ### SAML SSO and Google OpenID Connect (OIDC) These two authentication methods allow an admin to use the client's existing identity provider to simplify sign-in to Code Ocean.‌ When configuring Google OIDC or SAML SSO, an admin can disable the built-in authentication method to require signups through the client's own identity provider This is considered a security best practice.‌ An admin can allow built-in authentication when using an identity provider to enable logins for users outside the client's company domain.‌ Code Ocean VPC supports Identity Provider (IdP) initiated SAML SSO. This allows an admin to add Code Ocean as an application in their organization portal for quick discovery and access by users. ## Create New Configuration Authentication ### Step 1: Choose your preferred authentication method In the Admin Panel, you can view the three options with the Built-in authentication checked as the default option. ![](https://1199874068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7heVgliptKN92NOai4Oz%2Fuploads%2FuXHjeHCjt0aEKqmFn0kY%2FAuthentication.jpeg?alt=media\&token=6083afab-10a6-49b2-86a7-6c073a8de88d) Select SAML SSO and OIDC to open the configuration form. {% hint style="info" %} Once you choose SAML SSO or OIDC, the configuration form will appear with the steps for you to follow. {% endhint %} ### Step 2: Enable built-in authentication in addition to this provider. You can decide if you want to enable the built-in authentication or not.
### Step 3: SAML Assertion Consumer Service URL / OAuth2 callback URL The information you need to provide to the identity provider’s configuration pages is indicated in the following step: You can copy the value. {% tabs %} {% tab title="SAML SSO" %} You need to provide: * ACS URL * Entity ID ![](https://1199874068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7heVgliptKN92NOai4Oz%2Fuploads%2FMs0ar1Z84jRrUzbVX1GM%2FAuthentication%20SAML.jpeg?alt=media\&token=8fee1ec7-0f74-40a0-a672-eec1b24fb4c6) {% endtab %} {% tab title="Google OAuth2" %} You need to provide: * Authorized Javascript origins * Authorized Redirect URIs ![](https://1199874068-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO74Ph1wHV3oYY-yd18%2F-MfDWb8jcnQmUfsstKJU%2F-MfD_4gmLxRb3GSiwncE%2Fimage11.png?alt=media\&token=8c778337-bda5-4c23-9806-8c5f114aff72) **Configuring google OAuth2** 1\. Go to [Google Cloud Platform](https://console.cloud.google.com/apis/credentials?project=private-cloud-deployment\&pli=1) and click the **Create Credentials** button ![](https://1199874068-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO74Ph1wHV3oYY-yd18%2F-MfDWb8jcnQmUfsstKJU%2F-MfD_E_8ynil3_hP1oiO%2Fimage2.png?alt=media\&token=a11e9474-10d4-46ab-a342-d9b4d81a864c) 2\. Choose OAuth client ID ![](https://1199874068-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO74Ph1wHV3oYY-yd18%2F-MfDWb8jcnQmUfsstKJU%2F-MfD_IUvGvjvhDwdTYRH%2Fimage5.png?alt=media\&token=feffef9c-af07-4fc3-a31b-128e0abc8064) 3\. Under application type select **Web application** ![](https://1199874068-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO74Ph1wHV3oYY-yd18%2F-MfDWb8jcnQmUfsstKJU%2F-MfD_MpYXRKpwF7DJ4lU%2Fimage6.png?alt=media\&token=e14596f9-e766-483d-bc52-5177f38a2e44) 4\. Provide `Authorized Javascript` origins and `Authorized Redirect URIs` * Under “Authorized javascript origins” click the “ADD URI” button * Under “Authorized redirect URIs” click the “ADD URI” button ![](https://1199874068-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO74Ph1wHV3oYY-yd18%2F-MfDWb8jcnQmUfsstKJU%2F-MfD_SlrR4jn4_2J0EHB%2Fimage7.png?alt=media\&token=b68a8c0c-339d-4a46-9b4c-1026f4d12230) 5\. Click the **Create** button at the bottom of the page {% endtab %} {% endtabs %} ### Step 4: Provide the following information from your identity provider You will find the values to fill in step 4 on the identity provider’s configuration pages. {% tabs %} {% tab title="SAML SSO" %} You need to find the following field on the identity provider's configuration pages: * Single Sign-on URL * Entity ID * x.509 Certificate {% endtab %} {% tab title="Google OAuth2" %} After the OAuth2 is created. Copy the text from `Your Client ID` and `Your Client Secret` textboxes to their respective fields (Client ID and Client Secret) in the admin dashboard step 4. ![](https://1199874068-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7heVgliptKN92NOai4Oz%2Fuploads%2FxuQD1ZKDbPQ6gCuh1CZq%2FStep%204%20Client%20ID%20and%20Secret.jpeg?alt=media\&token=031ef54c-ffb4-4d27-b868-141c5b3a211e) {% endtab %} {% endtabs %} ### Enable the Configuration Once all the steps are complete, click **Enable** at the bottom of the form to set the new Authentication method. ## Switching Configuration Authentication When you enter the Authentication page, the current authentication method is checked. To switch to a different method, select that method to bring up the configuration form. Click **Enable** at the bottom of the form to change the authentication setting. {% hint style="info" %} If that method is not configured, follow the above steps to set up the configuration. If the method is configured, some fields will not display the values for security reasons. for example OpenID's Client Secret. {% endhint %} {% hint style="warning" %} To switch back to Built-in authentication and disable the other two methods. Click **Built-in authentication** on Step1, then click **Enable Built-in Authentication** on step 2. This will clear the existing configuration and reset it to the default built-in authentication method. {% endhint %}