Introducing Single Sign-on for Hasura Console

Hasura Console is a powerful tool that can control metadata and data sources. “With great power comes great responsibility.” The default admin secret-based authentication isn’t secure enough because:

  • We have to share a single secret with team members.
  • The secret should be long and hard to remember.
  • If your backend has many projects, managing the secrets of individual Hasura instances is a nightmare.

To help development teams strengthen security and have flexibility in accessing Hasura Console, we're excited to announce the Single Sign-on (SSO) solution for Hasura Console. You can integrate existing SSO identity providers (IdP) with Hasura GraphQL Engine to enable authentication. The feature is available on Hasura Enterprise Edition (EE). SSO is already available for Hasura Cloud customers via SAML.

Enable SSO for Enterprise Edition

Hasura provides full support for OAuth 2.0 as a Single Sign-On (SSO) solution without the need for additional tooling or services. OAuth 2.0 is an industry-standard protocol that enables secure and delegated access to protected resources.

Authorization Flow

  1. First, Hasura needs to know the authentication context and verification secrets of the Identity Provider (IdP). If JSON Web Key Sets (JWKS) are exposed on the remote URL, the server will fetch the JWT secret on startup.
  2. When clicking on the SSO login button, Console initiates an Authorization Code flow with the IdP.
  3. On successful authorization, the IdP issues a JWT ID token to the Console with an admin or equivalent role.
  4. The Console then uses the JWT to execute Metadata and GraphQL API calls.

Configuration

Set the --sso-providers argument (or HASURA_GRAPHQL_SSO_PROVIDERS environment variable) which takes a list of SSO provider objects.

[
 {
   "client_id": "<client-id-from-idp>",
   "name": "<display-name>",
   "scope": "openid",
   "authorization_url": "<login-url>",
   "request_token_url": "<request-token-url>",
   "admin_roles": ["admin"],
   "jwt_secret": {
     "type": "RS256",
     "jwk_url": "https://...",
     "issuer": "myapp"
   }
 }
]
  • client_id: Client ID of the identity application.
  • name: Display name of the SSO button in the login page of the Hasura Console.
  • scope: The OAuth scope. It must contain openid so the identity provider can return the JWT id_token from the request token endpoint.
  • authorization_url: The authorization URL that the browser redirects to from the Console.
  • request_token_url: URL the Console uses to get the ID token using the authorization code.
  • admin_roles: By default, the role should be admin in the token issued by IdP so that Console access is provided. But, if you have a configuration where the admin role is used for something else, set this key to indicate which roles should be treated as admin. This is an array of strings.jwt_secret: JWT secret the server uses to verify the JWT signature. It follows the JWT secret configuration.

Other protocols

For other protocols, such as LDAP or SAML, you can use any OpenID Connect compliant middleware service such as Dex that acts as a portal to other identity providers. Hasura talks to the middleware to authorize and verify signatures without caring about how the middleware handles external providers. Dex supports SAML 2.0, LDAP protocols, as well as identity providers like GitHub, Google, and Active Directory.

SSO middleware authentication flow

The authorization flow is similar to the OAuth / OpenID Connect flow, with an extra step to authenticate the IdP through middleware.

Read more about the integration and integration guides for popular providers at Hasura Docs or get started with the SSO Demo repository.

SSO on Hasura Cloud

Hasura Cloud Enterprise supports SSO integration with your identity management system through SAML 2.0 protocol. Hasura is a SAML 2.0-compliant service provider.

To enable SSO integration with your Identity provider, you need to:

  • Create a new service provider on your SAML IdP with ACS URL and identity to be https://auth.pro.hasura.io/saml/callback.
  • Provide service provider details and metadata to Hasuar support to configure SAML SSO.Read more about the configuration details at Hasura Docs.
Hasura Cloud Login Page

Verdict

Single Sign-on is the security standard for large teams and enterprise organizations nowadays. The solution helps team members avoid common password mistakes, especially with powerful tools such as Hasura Console.

Both Hasura Cloud and Enterprise Edition support SSO with simple configurations. If you are using Hasura Core and interested in the feature, register for your 30-day free Enterprise Trial or get started with some Hasura Cloud projects.

If you have feedback or ask questions about this feature, join Hasura engineers and community on our Discord or GitHub Discussions.

Blog
24 Aug, 2023
Email
Subscribe to stay up-to-date on all things Hasura. One newsletter, once a month.
Loading...
v3-pattern
Accelerate development and data access with radically reduced complexity.