Skip to content

Identity & SSO (OpenID Connect)

How Sluicio manages users, roles, and groups — and how to federate sign-in to your OpenID Connect identity provider. SSO, advanced RBAC, audit logs, and long retention are Sluicio Enterprise features.

Sluicio manages identity natively out of the box and can federate sign-in to your own identity provider over OpenID Connect (OIDC).

Every user belongs to one or more organizations with a role:

  • Admin — full control: members, tokens, access policies, SSO, settings.
  • Editor — create and edit dashboards, alerts, integrations; can’t manage membership, tokens, or SSO.
  • Viewer — read-only.

These three roles are part of the free core.

Groups & access policies (advanced RBAC — Enterprise)

Section titled “Groups & access policies (advanced RBAC — Enterprise)”

For finer control, organize members into groups and attach access policies that scope what each group can see — by service, by integration, by resource attribute, or a compound of these. Policies are enforced at the query layer, so a viewer in a restricted group simply never receives telemetry outside their scope.

Basic role membership and static service→group association are in the core; creating fine-grained access policies requires the rbac_advanced Enterprise entitlement.

Single sign-on with OpenID Connect (Enterprise)

Section titled “Single sign-on with OpenID Connect (Enterprise)”

Connect any OIDC-conformant provider — Microsoft Entra ID, Okta, Google Workspace, Keycloak, Auth0, and others. SSO requires the sso Enterprise entitlement.

What you will configure (per organization):

  • Issuer URL — the provider’s base URL. Sluicio reads the provider’s .well-known/openid-configuration from there.
  • Client ID + secret — from registering Sluicio as an application in your IdP.
  • Claim mapping — which claims map to email / name / subject (sensible defaults provided).

How sign-in works: once a provider is configured, the login page shows a “Sign in with ” button next to the email + password form. On first SSO login Sluicio matches the user by email (or provisions one), links the provider’s stable sub to the Sluicio user, and issues a normal session. Local password login keeps working alongside SSO.

Per-org configuration means different tenants on one Sluicio deployment can each federate to their own IdP.

Registering Sluicio in your identity provider. It’s the standard OIDC “confidential web application” flow: register an app, request the scopes openid profile email, and set the redirect URI to the value Sluicio will show on its SSO settings screen.

ProviderWhere to register the appIssuer URL
Microsoft Entra IDApp registrations → New registration (Web)https://login.microsoftonline.com/<tenant-id>/v2.0
OktaApplications → Create App Integration → OIDC Web Apphttps://<org>.okta.com (or …/oauth2/default)
Google WorkspaceCloud Console → Credentials → OAuth client ID (Web)https://accounts.google.com
Auth0Applications → Regular Web Applicationhttps://<tenant>.<region>.auth0.com/
KeycloakRealm → Clients → Create (confidential)https://<host>/realms/<realm>

For group-based access, configure the IdP to emit a groups claim (Entra: Add groups claim; Okta and Keycloak: a groups mapper). Google has no groups claim — map roles inside Sluicio instead.

With the audit_log entitlement, Sluicio records security-relevant admin actions — member and token changes, access policies, retention and SSO config — each with the actor, timestamp, target, and client IP. View it under Settings → Audit log.

Sluicio is open-core: the application is source-available under the Functional Source License, and the Enterprise features above live under a separate license and are unlocked by a license key.

The key is an offline, signed token — Sluicio verifies it locally against an embedded public key, so it works fully air-gapped with no phone-home. Set it via an environment variable on the cell-api:

Terminal window
SLUICIO_LICENSE_KEY="sluicio_lic_…"
# or point at a file:
SLUICIO_LICENSE_FILE=/etc/sluicio/license.key

Current status, entitlements, and expiry are shown under Settings → License. Without a key, the core runs fully and Enterprise features stay disabled — an absent or expired key never blocks login or admin access, so you can always sign in to install or renew a key. Contact ROMA IT AB for licensing.