Guide on how to configure domain-specific authentication using the Middleware Manager

This guide will walk you through creating and assigning distinct forwardAuth middlewares for different domains, allowing you to direct authentication requests to the appropriate portal.

Guide: Implementing Domain-Specific Authentication

This guide addresses the challenge of handling SSO authentication for services spread across multiple, unrelated domains. The goal is to stop redirecting users from one domain to another for authentication and instead use a dedicated authentication portal for each domain.

We will achieve this by creating separate forwardAuth middlewares for each domain and assigning them to the corresponding resources.

The Strategy

The core of the solution is to override the default, global SSO behavior for specific resources. Instead of relying on a single, platform-wide authentication middleware, you will define multiple forwardAuth middlewares. Each middleware will point to the correct authentication URL for a specific domain.

1. Create Domain-Specific Middlewares: You will create at least two forwardAuth middlewares.
   • One for domain1.com pointing to proxy.domain1.com.
   • Another for domain2.com pointing to proxy.domain2.com.
2. Assign Middlewares to Resources: You will use the Middleware Manager UI to assign the correct middleware to each resource based on its domain.

Prerequisites

• You have two or more separate authentication portals running (e.g., proxy.domain1.com and proxy.domain2.com). Middleware Manager will direct traffic to these portals but does not host the authentication service itself.
• Your Middleware Manager is correctly configured to watch for resources from your data source (Pangolin or Traefik).

Step-by-Step Instructions

Step 1: Create the forwardAuth Middlewares

First, you need to define a unique forwardAuth middleware for each of your authentication portals.

1. Navigate to Middlewares: From the main dashboard, go to the Middlewares page using the header navigation.

2. Create Middleware for Domain 1:

   • Click the Create Middleware button.

   • Name: Auth via Domain1

   • Type: Select forwardAuth from the dropdown list.

   • Configuration: Enter the JSON configuration pointing to your first domain’s authentication service.

     {
       "address": "http://proxy.domain1.com/sso/auth",
       "trustForwardHeader": true,
       "authResponseHeaders": [
         "Remote-User",
         "Remote-Groups",
         "Remote-Name",
         "Remote-Email"
       ]
     }
     

   • Click Create Middleware to save it.

3. Create Middleware for Domain 2:

   • Click Create Middleware again.

   • Name: Auth via Domain2

   • Type: forwardAuth

   • Configuration: Enter the JSON configuration pointing to your second domain’s authentication service.

     {
       "address": "http://proxy.domain2.com/sso/auth",
       "trustForwardHeader": true,
       "authResponseHeaders": [
         "Remote-User",
         "Remote-Groups",
         "Remote-Name",
         "Remote-Email"
       ]
     }
     

   • Click Create Middleware to save.

You will now have two distinct middleware definitions, each tailored for a specific authentication flow.

Step 2: Assign Middlewares to Your Resources

Next, assign the appropriate middleware to the resources on each domain.

1. Navigate to Resources: Go to the Resources page from the header navigation.
2. Select a Resource: Find a resource you want to secure with your new authentication, for example, a service on subdomain.domain2.com. Click Manage to go to its detail page.
3. Assign the Middleware:
   • On the Resource Detail page, scroll down to the Attached Middlewares card.
   • Click the Add Middleware button.
   • In the modal, select the appropriate middleware (e.g., Auth via Domain2) from the list.
   • Set a Priority. A higher number (e.g., 150) can help ensure it overrides any default middlewares.
   • Click Assign Selected.
4. Repeat for Other Resources: Repeat this process for all other resources, assigning Auth via Domain1 to services on domain1.com and Auth via Domain2 to services on domain2.com.

Step 3: Verification

Once the configuration is generated, you need to verify that the correct authentication flow is being triggered.

1. Check Traefik Dashboard: Open your Traefik dashboard and inspect the router associated with your resource (e.g., subdomain.domain2.com). Verify that the list of middlewares for that router includes Auth-via-Domain2@file. The @file provider indicates that the middleware generated by Middleware Manager is being correctly applied.
2. Test the Authentication Flow:
   • Access a service on domain2.com (e.g., https://subdomain.domain2.com). You should be redirected to proxy.domain2.com for authentication.
   • Access a service on domain1.com. You should be redirected to proxy.domain1.com for authentication.

By following these steps, you have successfully configured domain-specific authentication, providing a more intuitive and secure experience for your users.