FactoryFactory
Enterprise

Authentication

This document explains how to configure and manage authentication in the ManufactAI Factory application. Proper authentication setup is crucial for system security.

Authentication Methods

ManufactAI Factory supports two primary authentication methods:

  1. Email/Password Authentication - The default method using local user accounts
  2. Single Sign-On (SSO) - Integration with external identity providers via OpenID Connect

Both methods can be used simultaneously, or you can configure the system to use only SSO if required by your security policies.

Email/Password Authentication

Configuration

Email/password authentication is enabled by default and requires a valid SMTP configuration to handle user registration, password reset, and notification emails.

Required environment variables for the Factory API container:

- SMTP_HOST=smtp.yourdomain.com
- SMTP_PORT=587
- SMTP_USER=your-smtp-username
- SMTP_PASSWORD=your-smtp-password
- SMTP_MAIL=noreply@yourdomain.com

User Management

With email/password authentication:

  1. User Registration:

    • Users can self-register by providing their email address
    • A verification email is sent to confirm their email address
    • After verification, users can set a password and access the system

  2. Password Reset:

    • Users can request a password reset via the login page
    • A password reset link is sent to their email address
    • The link is valid for a limited time (24 hours by default)

Security Considerations

  • Enforce strong password policies (min. 8 characters with complexity requirements)
  • Use TLS for SMTP communication to protect credentials
  • Regularly audit user accounts and remove unused accounts

Single Sign-On (SSO) Authentication

ManufactAI Factory supports SSO via OpenID Connect (OIDC) compatible identity providers such as Keycloak, Google, Microsoft Azure AD, and others.

General SSO Configuration

To enable SSO, set the following environment variables:

- SSO_ENABLED=true
- SSO_DISABLE_EMAIL_LOGIN=false # Set to true to disable email/password login completely

Configuring Keycloak as SSO Provider

Below is a step-by-step guide for setting up Keycloak as an SSO provider.

1. Configure Keycloak

  1. Create a new Realm in your Keycloak server (if you don't already have one)

  2. Create a new Client for the Factory application:

    • Client ID: factory (use the same value for the SSO_PROVIDER_KEYCLOAK_CLIENT_ID environment variable)
    • Client Protocol: openid-connect
    • Access Type: confidential
    • Valid Redirect URIs: https://your-factory-domain.com/api/1/auth/callback/keycloak

  3. Configure Client Scopes:

    • Make sure your client includes scopes for: openid, profile, email

  4. Get Client Credentials:

    • Go to the Credentials tab for your client to get the Client Secret
    • Use this value for the SSO_PROVIDER_KEYCLOAK_CLIENT_SECRET environment variable

  5. Configure OpenID Connect Discovery URL:

    • The format is typically: https://your-keycloak-server/realms/your-realm/.well-known/openid-configuration
    • Use this URL for the SSO_PROVIDER_KEYCLOAK_DISCOVERY_URL environment variable

2. Configure Factory API

Add the following environment variables to your Factory API container:

# Master switch to enable SSO
- SSO_ENABLED=true
 
# Keycloak configuration
- SSO_PROVIDER_KEYCLOAK_NAME=Keycloak
- SSO_PROVIDER_KEYCLOAK_CLIENT_ID=factory
- SSO_PROVIDER_KEYCLOAK_CLIENT_SECRET=your-client-secret-from-keycloak
- SSO_PROVIDER_KEYCLOAK_DISCOVERY_URL=https://keycloak.example.com/realms/yourcompany/.well-known/openid-configuration
- SSO_PROVIDER_KEYCLOAK_ICON=SiKeycloak
 
# Optional: Disable email/password login entirely
- SSO_DISABLE_EMAIL_LOGIN=false

Configuring Google as SSO Provider

You can also configure Google as an SSO provider:

1. Create Google OAuth Credentials

  1. Go to the Google Cloud Console
  2. Navigate to "APIs & Services" > "Credentials"
  3. Create an OAuth 2.0 Client ID
  4. Configure the authorized redirect URI: https://your-factory-domain.com/api/1/auth/callback/google
  5. Note your Client ID and Client Secret

2. Configure Factory API

Add the following environment variables to your Factory API container:

# Google configuration
- SSO_PROVIDER_GOOGLE_NAME=Google
- SSO_PROVIDER_GOOGLE_CLIENT_ID=your-google-client-id
- SSO_PROVIDER_GOOGLE_CLIENT_SECRET=your-google-client-secret
- SSO_PROVIDER_GOOGLE_DISCOVERY_URL=https://accounts.google.com/.well-known/openid-configuration
- SSO_PROVIDER_GOOGLE_ICON=FaGoogle

Multi-Provider Configuration

You can configure multiple SSO providers simultaneously. Users will see login buttons for each configured provider on the login screen.

# Enable SSO
- SSO_ENABLED=true
 
# Keycloak configuration
- SSO_PROVIDER_KEYCLOAK_NAME=Company SSO
- SSO_PROVIDER_KEYCLOAK_CLIENT_ID=factory
- SSO_PROVIDER_KEYCLOAK_CLIENT_SECRET=your-client-secret-from-keycloak
- SSO_PROVIDER_KEYCLOAK_DISCOVERY_URL=https://keycloak.example.com/realms/yourcompany/.well-known/openid-configuration
- SSO_PROVIDER_KEYCLOAK_ICON=SiKeycloak
 
# Google configuration
- SSO_PROVIDER_GOOGLE_NAME=Google
- SSO_PROVIDER_GOOGLE_CLIENT_ID=your-google-client-id
- SSO_PROVIDER_GOOGLE_CLIENT_SECRET=your-google-client-secret
- SSO_PROVIDER_GOOGLE_DISCOVERY_URL=https://accounts.google.com/.well-known/openid-configuration
- SSO_PROVIDER_GOOGLE_ICON=FaGoogle

User Provisioning with SSO

When users authenticate with SSO for the first time, their accounts are automatically created in Factory with basic information (email, name) obtained from the identity provider.

Troubleshooting

Common SSO Issues

  1. Redirect URI Mismatch

    • Error: "Invalid redirect URI"
    • Solution: Ensure the redirect URI configured in your identity provider exactly matches your Factory callback URL, including protocol (http/https) and any trailing slashes.

  2. Discovery URL Problems

    • Error: "Unable to fetch OpenID configuration"
    • Solution: Verify the discovery URL is accessible from the Factory API container. Check for network issues or firewall rules that might be blocking access.

  3. Authentication Fails

    • Error: "Authentication failed" or no error but redirection back to login page
    • Solution: Check client credentials and ensure the required scopes are correctly configured in your identity provider.

Email Authentication Issues

  1. SMTP Connection Failures

    • Error: "Failed to send email" or "SMTP connection failed"
    • Solution: Verify SMTP credentials and server settings. Ensure there are no network issues preventing connection to the SMTP server.

  2. Email Not Received

    • Issue: Users don't receive verification or password reset emails
    • Solution: Check spam folders, verify the email configuration, and ensure your SMTP provider is not rate-limiting or blocking your emails.

Security Best Practices

  1. Use HTTPS

    • Always use HTTPS for all communication between Factory, your identity providers, and users
    • This prevents credential theft and session hijacking

  2. Implement MFA

    • If using SSO, configure multi-factor authentication in your identity provider
    • This adds an additional layer of security beyond passwords

  3. Regular Audits

    • Regularly review user accounts and permissions
    • Remove accounts for users who no longer require access

Previous

Configuration

On this page