v3.20.2

Getting Started Devices Gateways Integrations Reference
Get The Things Stack

Getting Started

    Overview
  • Quick Start
  • What Is The Things Stack?
  • Console
  • Command-line Interface
  • Installing The Things Stack
  • Upgrading The Things Stack
  • Migrating to The Things Stack
  • The Things Stack Cloud
  • The Things Stack AWS Launcher
  • The Things Network
  • Server Addresses
  • Packet Broker
  • Single Sign-On
    • Amazon Cognito
    • Google OpenID Connect
  • Users and Organizations
  • Using the API
  • Working with Events
  • Troubleshooting Getting Started

Single Sign-On

The Things Stack supports OpenID Connect for single sign-on. This section contains instructions for connecting an OpenID provider to your The Things Stack deployment to allow users to sign in with their existing credentials.

Command-line interface only

The instructions below use the command-line interface (CLI).

Learn how to install the CLI

Requirements

  1. Access to an OpenID Connect provider such as Google or Amazon Cognito
  2. Administrator access to your The Things Stack deployment
  3. tti-lw-cli

Configure Your OpenID Connect Provider

First, you must configure your OpenID Connect Provider to accept login requests from The Things Stack and to forward authentication to the callback address of your The Things Stack deployment.

The Things Stack requires the following from the OpenID Connect Provider:

  • OpenID Discovery Address
  • Client ID
  • Client Secret

And you must enter the following in the OpenID Connect Provider configuration:

  • Callback URL

See instructions for configuring Google and Amazon Cognito OpenID Connect Providers.

Callback URL

The callback URL (or Redirect URI in Google terminology) of your The Things Stack deployment is the Server Address followed by the OAuth endpoint, which includes an Authentication Provider ID of your choosing:

/oauth/login/<authentication-provider-id>/callback

You will actually create the Authentication Provider in The Things Stack using this Authentication Provider ID, so remember it.

For example, with a tenant tenant1 in the eu1 cluster and an Authentication Provider ID of auth-provider, the OAuth Callback URL is:

https://tenant1.eu1.cloud.thethings.industries/oauth/login/auth-provider/callback

Configure The Things Stack for SSO

Once your OpenID Connect provider is configured, you can configure The Things Stack.

Use the following command (note that Authentication Provider commands are only available in tti-lw-cli):

$ tti-lw-cli authentication-providers create <authentication-provider-id> \
--allow-registrations \
--configuration.provider.oidc.client-id <client-id> \
--configuration.provider.oidc.client-secret <client-secret> \
--configuration.provider.oidc.provider-url <provider-url> \
--name <display-name>

The name is what will appear on The Things Stack login screen. For example, to register a Google OpenID Authentication Provider, using the id goog and name Goog:

$ tti-lw-cli authentication-providers create goog \
--allow-registrations \
--configuration.provider.oidc.client-id xxxxx-vq3v4e2ha7c1668mr92iiqu0bd1spct2.apps.googleusercontent.com \
--configuration.provider.oidc.client-secret GOCSPX-Vxxxxxxx \
--configuration.provider.oidc.provider-url https://accounts.google.com \
--name Goog

A list of provider discovery URLs is available from AWS here.

If succesful, tti-lw-cli will return a list of Authentication Providers. When you go to login, you will see the login option using the name you registered the Authentication Provider with.

← Troubleshooting Amazon Cognito →

On this page

  • Requirements
  • Configure Your OpenID Connect Provider
  • Configure The Things Stack for SSO

The Things Stack

Getting Started

Devices

Gateways

Integrations

Reference

Contributing

GitHub

Forum

About Us

The Things Network

The Things Industries

About this page

Last changed by Nejra Selimović on 23 Mar 2022.
doc: Address improvement points from feedback (#828)

Edit on Github