11#Authentication
22
3- ![ OIDC with Coder Sequence Diagram] ( ../images/oidc-sequence-diagram.svg ) .
4-
53By default, Coder is accessible via password authentication. Coder does not
64recommend using password authentication in production, and recommends using an
75authentication provider with properly configured multi-factor authentication
@@ -252,33 +250,47 @@ CODER_TLS_CLIENT_KEY_FILE=/path/to/key.pem
252250##Group Sync (enterprise) (premium)
253251
254252If your OpenID Connect provider supports group claims, you can configure Coder
255- to synchronize groups in your auth provider to groups within Coder.
253+ to synchronize groups in your auth provider to groups within Coder. To enable
254+ group sync, ensure that the` groups ` claim is being sent by your OpenID
255+ provider. This may involve requesting an additional
256+ [ scope] ( ../reference/cli/server.md#--oidc-scopes ) or additional configuration on
257+ the OpenID provider side.
256258
257- To enable group sync, ensure that the` groups ` claim is set by adding the
258- correct scope to request. If group sync is enabled, the user's groups will be
259- controlled by the OIDC provider. This means manual group additions/removals will
260- be overwritten on the next login.
259+ If group sync is enabled, the user's groups will be controlled by the OIDC
260+ provider. This means manual group additions/removals will be overwritten on the
261+ next user login.
261262
262- ``` env
263- # as an environment variable
264- CODER_OIDC_SCOPES=openid,profile,email,groups
265- ```
263+ There are two ways you can configure group sync:
266264
267- ``` shell
268- # as a flag
269- --oidc-scopes openid,profile,email,groups
265+ <div class =" tabs " >
266+
267+ ##Server Flags
268+
269+ First, confirm that your OIDC provider is sending the` groups ` claim by logging
270+ in with OIDC and visiting the following URL:
271+
272+ ``` text
273+ https://[coder.example.com]/api/v2/debug/[your-username]/debug-link
270274```
271275
272- With the` groups ` scope requested, we also need to map the` groups ` claim name.
273- Coder recommends using` groups ` for the claim name. This step is necessary if
274- your** scope's name** is something other than` groups ` .
276+ You should see a field, followed by a list of the user's OIDC groups in the
277+ response. This is the
278+ [ claim] ( https://openid.net/specs/openid-connect-core-1_0.html#Claims ) sent by
279+ the OIDC provider. See[ Troubleshooting] ( #troubleshooting-grouprole-sync ) to
280+ debug this.
275281
276- ``` env
282+ > Depending on the OIDC provider, this claim may be named differently. Common
283+ > ones include` groups ` ,` memberOf ` , and` roles ` .
284+
285+ Next configure the Coder server to read groups from the claim name with the
286+ [ OIDC group field] ( ../reference/cli/server.md#--oidc-group-field ) server flag:
287+
288+ ``` sh
277289# as an environment variable
278290CODER_OIDC_GROUP_FIELD=groups
279291```
280292
281- ``` shell
293+ ``` sh
282294# as a flag
283295--oidc-group-field groups
284296```
@@ -288,14 +300,16 @@ names in Coder and removed from groups that the user no longer belongs to.
288300
289301For cases when an OIDC provider only returns group IDs ([ Azure AD] [ azure-gids ] )
290302or you want to have different group names in Coder than in your OIDC provider,
291- you can configure mapping between the two.
303+ you can configure mapping between the two with the
304+ [ OIDC group mapping] ( ../reference/cli/server.md#--oidc-group-mapping ) server
305+ flag.
292306
293- ``` env
307+ ``` sh
294308# as an environment variable
295309CODER_OIDC_GROUP_MAPPING=' {"myOIDCGroupID": "myCoderGroupName"}'
296310```
297311
298- ``` shell
312+ ``` sh
299313# as a flag
300314--oidc-group-mapping' {"myOIDCGroupID": "myCoderGroupName"}'
301315```
@@ -313,11 +327,17 @@ coder:
313327From the example above, users that belong to the` myOIDCGroupID` group in your
314328OIDC provider will be added to the `myCoderGroupName` group in Coder.
315329
316- > **Note:** Groups are only updated on login.
317-
318330[azure-gids] :
319331https://github.com/MicrosoftDocs/azure-docs/issues/59766#issuecomment-664387195
320332
333+ # # Runtime (Organizations)
334+
335+ For deployments with multiple [organizations](./organizations.md), you can must
336+ configure group sync at the organization level. In future Coder versions, you
337+ will be able to configure this in the UI. For now, you can use CLI commands.
338+
339+ </div>
340+
321341# ## Group allowlist
322342
323343You can limit which groups from your identity provider can log in to Coder with