Authentication Methods
Customer-Managed Prefect supports multiple authentication providers for enterprise Single Sign-On (SSO) integration. You can configure a single authentication method or enable multiple methods simultaneously, allowing users to choose their preferred provider during login.
Supported Providers
- Okta - OAuth 2.0 / OpenID Connect
- ADFS - Active Directory Federation Services
- Entra - Microsoft Entra ID (formerly Azure AD)
Configuration
Authentication is configured for one or more providers via the global.authProvider section in your Helm values file.
Okta
global:
authProvider:
okta:
clientID: "" # OAuth 2.0 client ID from Okta application
clientSecret: "" # OAuth 2.0 client secret from Okta application
authServerURL: "" # Okta authorization server URL (e.g., https://your-domain.okta.com/oauth2/default)
apiKey: "" # Okta API key for management operations
ADFS (Active Directory Federation Services)
global:
authProvider:
adfs:
clientID: "" # ADFS application client ID
clientSecret: "" # ADFS application client secret
clientAuthority: "" # ADFS authority URL (e.g., https://adfs.your-domain.com/adfs)
clientVerifySSL: "" # Enable/disable SSL certificate verification
Entra (Microsoft Entra ID)
global:
authProvider:
entra:
clientID: "" # Entra application (client) ID
clientSecret: "" # Entra client secret
tenantID: "" # Entra tenant ID
clientVerifySSL: false # Enable/disable SSL certificate verification
loginBaseURL: "https://login.microsoftonline.com/" # Microsoft login endpoint
Single Provider Configuration
Here's a complete example using Okta:
global:
authProvider:
okta:
clientID: "0oa2b3c4d5e6f7g8h9i0"
clientSecret: "AbCdEfGhIjKlMnOpQrStUvWxYz0123456789"
authServerURL: "https://mycompany.okta.com/oauth2/default"
apiKey: "00AbCdEfGhIjKlMnOpQrStUvWxYz0123456789"
Multiple Provider Configuration
To enable multiple authentication providers simultaneously, configure all desired providers in the Helm values file and set the PREFECT_CLOUD_AUTH_OAUTH_PROVIDERS environment variable to a comma-separated list of provider names.
Example: Multiple Providers
global:
authProvider:
# Configure all providers you want to enable
okta:
clientID: "0oa2b3c4d5e6f7g8h9i0"
clientSecret: "AbCdEfGhIjKlMnOpQrStUvWxYz0123456789"
authServerURL: "https://mycompany.okta.com/oauth2/default"
apiKey: "00AbCdEfGhIjKlMnOpQrStUvWxYz0123456789"
adfs:
clientID: "adfs-client-id"
clientSecret: "adfs-client-secret"
clientAuthority: "https://adfs.your-domain.com/adfs"
clientVerifySSL: false
entra:
clientID: "entra-client-id"
clientSecret: "entra-client-secret"
tenantID: "entra-tenant-id"
clientVerifySSL: false
Using Multiple Providers
When multiple providers are configured:
- Users can select their preferred provider during login
- The first configured provider is used as the default for account initialization and member creation
- CLI commands that require a provider will accept an optional
--providerparameter - API endpoints that create users can accept an optional
providerquery parameter
Provider Setup
Setting up Okta
- Create an OAuth 2.0 application in your Okta admin console
- Configure the redirect URI to point to your Customer-Managed Prefect instance
- Note the Client ID and Client Secret
- Create an API token for management operations
- Use the authorization server URL (typically
https://your-domain.okta.com/oauth2/default)
Setting up ADFS
- Register a new application in your ADFS management console
- Configure OAuth 2.0 settings and redirect URIs
- Note the Client ID and Client Secret
- Use your ADFS authority URL (e.g.,
https://adfs.your-domain.com/adfs)
Setting up Entra (Microsoft Entra ID)
- Register an application in the Azure portal under Microsoft Entra ID
- Create a client secret in the "Certificates & secrets" section
- Note the Application (client) ID and Directory (tenant) ID
- Configure redirect URIs in the "Authentication" section
- Grant necessary API permissions