SSO Authentication
Arcan supports three SSO protocols for authenticating users against external identity providers.
Supported Providers
| Protocol | Use Case | Supported Providers |
|---|---|---|
| OIDC | Modern web identity | Google, Okta, Azure AD (Entra ID), Auth0, Keycloak, custom |
| SAML | Enterprise federation | Okta SAML, Azure AD SAML, ADFS, OneLogin |
| LDAP | On-premise directories | Active Directory, OpenLDAP, FreeIPA |
All three can be configured via the interactive wizard or manually in ~/.arcan/config.yaml.
Setup Wizard
The fastest way to configure SSO:
# Interactive — walks through provider selection, credentials, and testing
arcan auth setup
# Non-interactive OIDC
arcan auth setup --type oidc --name okta \
--issuer https://mycompany.okta.com \
--client-id 0oa1b2c3d4e5f6 \
--client-secret "$SECRET"
# Non-interactive SAML
arcan auth setup --type saml --name corporate \
--acs-url https://arcan.example.com/api/v1/auth/saml/corporate/acs \
--metadata-url https://idp.example.com/saml/metadata
# Non-interactive LDAP
arcan auth setup --type ldap --name active-directory \
--ldap-url ldaps://ldap.example.com:636 \
--bind-dn "cn=arcan,ou=services,dc=example,dc=com" \
--bind-password "$BIND_PW" \
--base-dn "ou=users,dc=example,dc=com"
After setup, test the connection:
arcan auth test okta
arcan auth test active-directory --debug
Reload the server to apply changes without downtime:
kill -HUP $(pgrep arcan)
How Secrets Are Encrypted in Config
When using the wizard with a running Arcan server, secrets (OIDC client secrets, LDAP bind passwords) are encrypted via the /encrypt endpoint using the server's master key:
client_secret: "arcan:v1:AES256GCM:base64-ciphertext-here"
At startup, the server decrypts these values. The config file can be safely committed to version control. If the server is not running during setup, the wizard falls back to environment variable references (${ARCAN_OIDC_OKTA_SECRET}).
Dynamic Presets
Arcan ships with built-in presets for common identity providers. Presets auto-fill issuer URLs, metadata templates, LDAP attributes, and other provider-specific defaults. They are loaded from three sources in priority order:
- Local cache --
~/.arcan/presets/sso.json(auto-updated from registry) - Registry -- Latest presets from
registry.getarcan.dev(cached 24h) - Embedded -- Compiled into the binary (offline fallback)
Update presets manually with:
arcan auth update-presets
YAML Configuration Reference
OIDC
auth:
oidc:
- name: okta
issuer: https://mycompany.okta.com
client_id: "0oa1b2c3d4e5f6"
client_secret: "arcan:v1:encrypted-here"
redirect_url: https://arcan.example.com/api/v1/auth/oidc/okta/callback
allowed_domains: [mycompany.com]
scopes: [openid, email, profile]
SAML
auth:
saml:
- name: corporate
acs_url: https://arcan.example.com/api/v1/auth/saml/corporate/acs
metadata_url: https://idp.example.com/saml/metadata
LDAP
auth:
ldap:
- name: active-directory
url: ldaps://ldap.example.com:636
bind_dn: "cn=arcan,ou=services,dc=example,dc=com"
bind_password: "arcan:v1:encrypted-here"
base_dn: "dc=example,dc=com"
user_filter: "(&(objectClass=person)(sAMAccountName=%s))"
required_group: "cn=arcan-users,ou=Groups,dc=example,dc=com"