Identity & SSO (OpenID Connect)
How Sluicio manages users, roles, and groups — and how to federate sign-in to your OpenID Connect identity provider. SSO, advanced RBAC, audit logs, and long retention are Sluicio Enterprise features.
Sluicio manages identity natively out of the box and can federate sign-in to your own identity provider over OpenID Connect (OIDC).
Users and roles (core)
Section titled “Users and roles (core)”Every user belongs to one or more organizations with a role:
- Admin — full control: members, tokens, access policies, SSO, settings.
- Editor — create and edit dashboards, alerts, integrations; can’t manage membership, tokens, or SSO.
- Viewer — read-only.
These three roles are part of the free core.
Groups & access policies (advanced RBAC — Enterprise)
Section titled “Groups & access policies (advanced RBAC — Enterprise)”For finer control, organize members into groups and attach access policies that scope what each group can see — by service, by integration, by resource attribute, or a compound of these. Policies are enforced at the query layer, so a viewer in a restricted group simply never receives telemetry outside their scope.
Basic role membership and static service→group association are in the core;
creating fine-grained access policies requires the rbac_advanced
Enterprise entitlement.
Single sign-on with OpenID Connect (Enterprise)
Section titled “Single sign-on with OpenID Connect (Enterprise)”Connect any OIDC-conformant provider — Microsoft Entra ID, Okta, Google
Workspace, Keycloak, Auth0, and others. SSO requires the sso Enterprise
entitlement.
What you will configure (per organization):
- Issuer URL — the provider’s base URL. Sluicio reads the provider’s
.well-known/openid-configurationfrom there. - Client ID + secret — from registering Sluicio as an application in your IdP.
- Claim mapping — which claims map to email / name / subject (sensible defaults provided).
How sign-in works: once a provider is configured, the login page shows a
“Sign in with sub to the Sluicio user, and issues a normal session.
Local password login keeps working alongside SSO.
Per-org configuration means different tenants on one Sluicio deployment can each federate to their own IdP.
Registering Sluicio in your identity provider. It’s the standard OIDC
“confidential web application” flow: register an app, request the scopes
openid profile email, and set the redirect URI to the value Sluicio will show
on its SSO settings screen.
| Provider | Where to register the app | Issuer URL |
|---|---|---|
| Microsoft Entra ID | App registrations → New registration (Web) | https://login.microsoftonline.com/<tenant-id>/v2.0 |
| Okta | Applications → Create App Integration → OIDC Web App | https://<org>.okta.com (or …/oauth2/default) |
| Google Workspace | Cloud Console → Credentials → OAuth client ID (Web) | https://accounts.google.com |
| Auth0 | Applications → Regular Web Application | https://<tenant>.<region>.auth0.com/ |
| Keycloak | Realm → Clients → Create (confidential) | https://<host>/realms/<realm> |
For group-based access, configure the IdP to emit a groups claim (Entra: Add
groups claim; Okta and Keycloak: a groups mapper). Google has no groups claim —
map roles inside Sluicio instead.
Audit log (Enterprise)
Section titled “Audit log (Enterprise)”With the audit_log entitlement, Sluicio records security-relevant admin
actions — member and token changes, access policies, retention and SSO config
— each with the actor, timestamp, target, and client IP. View it under
Settings → Audit log.
Licensing
Section titled “Licensing”Sluicio is open-core: the application is source-available under the Functional Source License, and the Enterprise features above live under a separate license and are unlocked by a license key.
The key is an offline, signed token — Sluicio verifies it locally against an embedded public key, so it works fully air-gapped with no phone-home. Set it via an environment variable on the cell-api:
SLUICIO_LICENSE_KEY="sluicio_lic_…"# or point at a file:SLUICIO_LICENSE_FILE=/etc/sluicio/license.keyCurrent status, entitlements, and expiry are shown under Settings → License. Without a key, the core runs fully and Enterprise features stay disabled — an absent or expired key never blocks login or admin access, so you can always sign in to install or renew a key. Contact ROMA IT AB for licensing.