[GH-ISSUE #863] Support custom authentication provider per resource #1672

Closed
opened 2026-04-16 08:24:19 -05:00 by GiteaMirror · 4 comments
Owner

Originally created by @JobDoesburg on GitHub (Jun 6, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/863

I would like to be able to choose that I want to protect a resource with login, but from a specific IdP, and not necessarily the pangolin built-in authentication. So that I can choose a different SSO if I would want to

Originally created by @JobDoesburg on GitHub (Jun 6, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/863 I would like to be able to choose that I want to protect a resource with login, but from a specific IdP, and not necessarily the pangolin built-in authentication. So that I can choose a different SSO if I would want to
Author
Owner

@miloschwartz commented on GitHub (Jun 12, 2025):

You can already attach another IDP if it support OIDC. We're working on a feature to redirect straight to the Idp instead of having to click "Log in with xxxx idp" button.

<!-- gh-comment-id:2964727228 --> @miloschwartz commented on GitHub (Jun 12, 2025): You can already attach another IDP if it support OIDC. We're working on a feature to redirect straight to the Idp instead of having to click "Log in with xxxx idp" button.
Author
Owner

@JobDoesburg commented on GitHub (Jun 12, 2025):

We're working on a feature to redirect straight to the Idp instead of having to click "Log in with xxxx idp" button.

That's already great!

Will it also be possible to specify specific required claims for a resource?

The use case is namely: I use Authentik as IdP and I would like to be able to manage which users have access to a resource via Authentik groups and policies, not via Pangolin. So I would like to add users to a group in Authentik and in Pangolin only specify the required groups specifically for this resource.

Preferably I would also want to log at my IdP that a user authenticated to a specific resource, which is why I formulated my issue the way I did. This would require using resource-specific OAuth Client IDs. I see that this is much more complex though 😅.

Or do you perhaps happen to know any other solution so my IdP can see which resource a user is authenticating for.

<!-- gh-comment-id:2965408594 --> @JobDoesburg commented on GitHub (Jun 12, 2025): > We're working on a feature to redirect straight to the Idp instead of having to click "Log in with xxxx idp" button. That's already great! Will it also be possible to specify specific required claims for a resource? The use case is namely: I use Authentik as IdP and I would like to be able to manage which users have access to a resource via Authentik groups and policies, not via Pangolin. So I would like to add users to a group in Authentik and in Pangolin only specify the required groups specifically for this resource. Preferably I would also want to log at my IdP that a user authenticated to a specific resource, which is why I formulated my issue the way I did. This would require using resource-specific OAuth Client IDs. I see that this is much more complex though 😅. Or do you perhaps happen to know any other solution so my IdP can see which resource a user is authenticating for.
Author
Owner

@github-actions[bot] commented on GitHub (Jun 27, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3010866343 --> @github-actions[bot] commented on GitHub (Jun 27, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
Author
Owner

@oschwartz10612 commented on GitHub (Jun 27, 2025):

@JobDoesburg sorry for the delay. I think you can do that by selecting roles from the IDP and creating roles within Pangolin to map to who can see what. https://docs.fossorial.io/Pangolin/Identity%20Providers/auto-provision#selecting-roles

Feel free to reopen if this does not solve the issue!

<!-- gh-comment-id:3013080926 --> @oschwartz10612 commented on GitHub (Jun 27, 2025): @JobDoesburg sorry for the delay. I think you can do that by selecting roles from the IDP and creating roles within Pangolin to map to who can see what. https://docs.fossorial.io/Pangolin/Identity%20Providers/auto-provision#selecting-roles Feel free to reopen if this does not solve the issue!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1672