Talos
Omni
Kubernetes GuidesAuth0
Omni supports authentication via Auth0.GitHub
When logging in with GitHub, you must use your primary, verified email address.OIDC
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. It provides user authentication and basic profile information for web and mobile applications. Omni can be configured to use OIDC providers to authenticate users.SAML
Security Assertion Markup Language (SAML) is an open standard that enables identity providers (IdPs) to pass authentication and authorization information to service providers (SPs). In this workflow, Omni acts as the service provider. To enable SAML for your account, please submit a ticket through Zendesk. Using SAML changes how user identities are managed in Omni:- Users are created automatically on their first login to Omni.
- The first user created is assigned the
Adminrole. - All subsequent users are assigned the
Nonerole.
- The first user created is assigned the
- An
Admincan modify the roles of other users. - User creation and removal must be performed in the IdP — not in Omni.
- Attributes from the SAML assertion are added to the user’s
Identityresource with the prefixsaml.omni.sidero.dev/. - Access Control Lists (ACLs) can be used to grant fine-grained permissions beyond roles.
Authentication for Automation
In addition to interactive login,omnictl can also be used in automation. When using user authentication in non-interactive workflows, Omni issues short-lived credentials that expire after a limited time. User tokens can remain valid for up to eight hours, and Omni-generated user public keys currently expire after four hours. These limits are not configurable.
Because of this, long-running automation or CI/CD pipelines that rely on user authentication may fail when credentials expire. To ensure uninterrupted access for automation, scripts, and other non-interactive use cases, we recommend using Omni Service Accounts instead of user authentication.