Automate SSO configuration for your Ceph dashboard in Koor storage

The Ceph dashboard offers a lot of functionality, from giving a concise overview of the cluster’s state to managing block storage, filesystem volumes, and object storage buckets easily.

Ceph MGR Dashboard - Overview

It is a powerful tool that needs to be handled with caution. Not a problem for the Ceph dashboard! It contains “system roles” and you can even create custom roles for most of the Ceph dashboard functionality on a very granular level. A role’s access to functionality is scoped, meaning that you can restrict the functionality to be read, create, update, and delete. That lets you be very specific if the default system roles are too open for your environment. To learn more about the Ceph dashboard’s user roles and permissions system, click here.

In the Rook Ceph operator, enabling the dashboard is as easy as setting the .spec.dashboard.enabled field to true! Currently, only one admin account is created with a secure password stored in a Kubernetes secret by default.

We wanted to make the existing Ceph dashboard Single Sign-On (SSO) feature more convenient to use in Kubernetes, so we added the dashboard’s SSO configuration to the Koor Storage Distribution. You might be wondering: what is SSO, and why is it such a great addition to have automatically configured through existing GitOps flows?

Single sign-on is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.

Single sign-on - Wikipedia

To translate this to a typical workday, you would log in once to your laptop with your account and every company application and web service would automatically know that it is you. With this feature, you can just add your SSO details to your existing CephCluster and have the operator automatically take care of the configuration.

Requirements for your cluster and infrastructure:

  • You need to be running a Koor Storage Distribution cluster on the latest version.
  • You need to have an existing SAML2 identity provider (IdP) running (e.g., Keycloak, Authentiq).

We’ll be using Keycloak (tested with 19.0.2) for this example. We are going to assume your Ceph dashboard is currently exposed via Kubernetes Ingress on and your Keycloak is running at (with a realm called myrealm).

Keycloak Client Details:

  • Protocol: SAML2
  • Client ID:
  • Name: E.g., Ceph Dashboard
  • Settings tab
    • Root URL: (without a slash at the end)
    • Valid redirect URIs: /*
    • Force POST binding: On.
    • Sign documents: On.
    • Front channel logout: On.
  • Keys tab
    • Signing keys config -> Client signature required: Off.
  • Client Scopes tab
    • Remove the default role_list scope.
    • Click on the Dedicated scope and mappers for this client and add a new AttributeStatement Mapper called, e.g., username.
      • Property: username
      • Friendly name: E.g., Username.
      • SAML Attribute name: username
        • This needs to be set for the idpAttributes.username field in SSO spec of the CephCluster object.
  • Advanced tab
    • Assertion Consumer Service POST Binding URL:
    • Assertion Consumer Service Redirect Binding URL:
    • Logout Service POST Binding URL:

Now that we have the SAML2 client configured in Keycloak or your IdP of choice, we need to add these details to your CephCluster object:

    enabled: true
    # The new SSO section
      enabled: true
      baseUrl: ""
      #entityID: "<idp_entity_id>" # optional
      idpMetadataUrl: ""
        username: "username"
        - username: your_username
           - administrator
        # You can have more than one user entry
        #- username: second_username
        #  roles:
        #  - rgw-manager

Each of the fields needs to be set as follows:

  • enabled - Set to true to enable the dashboard SSO configuration.
  • baseURL - The external address your dashboard is exposed on, e.g., if you have an Ingress exposing the dashboard on this would be the whole URL (without a last slash added).
  • entityID - Optional. Use this when you have more than one entity ID in your IdP metadata.
  • idpMetadataUrl - Your IdP’s metadata file, e.g., on Keycloak this is located here: (in Keycloak you can find it under the Realm Settings -> General tab -> SAML 2.0 Identity Provider Metadata link).
  • idpAttributes.username - The SAML2 attribute name containing the user’s username (optional, defaults to uid).
  • users - List of users to create and which system roles to give them. You can also specify your custom roles, but you need to have made them already.

After adding this to your CephCluster object, wait a minute or two for the operator to complete a reconciliation loop. Now you should be auto-redirected to your IdP when accessing the Ceph dashboard.

As the SSO feature is currently implemented, users must be created before they can login to the dashboard. Manual creation of users is done currently as a security feature, though we are looking to improve this securely with the community to make SSO even easier.

To summarize, the Koor Storage Distribution now allows configuring the Ceph dashboard Single Sign-On via your CephCluster CRD, which means one more thing is automated and doesn’t need to be manually configured in your Ceph Cluster.

If you have any questions regarding Rook, Ceph or Koor, be sure to check out our bi-weekly Koor office hours. For more information and the meeting schedule, please refer to the readme file in the Koor GitHub project. If you wanna learn more about the Koor Storage Distribution product, be sure to reach out to us via email or social media channels.

Thanks for reading!

Alexander Trost March 09, 2023