diff --git a/website/integrations/services/xen-orchestra/index.md b/website/integrations/services/xen-orchestra/index.md new file mode 100644 index 000000000000..a248ed6cf4bc --- /dev/null +++ b/website/integrations/services/xen-orchestra/index.md @@ -0,0 +1,69 @@ +--- +title: Xen Orchestra +--- + +Support level: Community + +## What is Xen Orchestra + +> Xen Orchestra provides a user friendly web interface for every Xen based hypervisor (XenServer, xcp-ng, etc.). +> +> -- https://xen-orchestra.com/ + +:::note +Xen Orchestra offers authentication plugins for OpenID Connect, SAML and LDAP. This guide is using the OpenID Connect plugin. +If you are using the Xen Orchestra Appliance, the OIDC Plugin should be present. If you are using Xen Orchestra compiled from sources, make sure the plugin `auth-oidc` is installed. +::: + +## Preparation + +The following placeholders will be used: + +- `xenorchestra.company` is the FQDN of the Xen Orchestra instance. +- `authentik.company` is the FQDN of the authentik install. + +## authentik configuration + +### 1. Provider + +Under _Providers_, create an OAuth2/OpenID provider with these settings: + +- Name: Provider for XenOrchestra +- Authorization Flow: Select one of the available Flows. +- Client type: Confidential +- Redirect URIs/Origins: `https://xenorchestra.company/signin/oidc/callback` + +Take note of the Client ID and the Client Secret, because we need them for the configuration of Xen Orchestra. + +### 2. Application + +Create an application with the following details: + +- Slug: `xenorchestra` (If you want to choose a different slug, your URLs for the Xen Orchestra Configuration may vary.) +- Provider: Select the one we have created in Step 1 +- Set the Launch URL to `https://xenorchestra.company/` + +Optionally apply access restrictions to the application. + +## Xen Orchestra configuration + +Xen Orchestra allows the configuration of the OpenID Connect authentication in the plugin-section. +All of the URLs mentioned below can be copied & pasted from authentik (_Applications -> Providers -> *the provider created earlier*_). + +1. Navigate to Settings -> Plugins +2. Scroll to **auth-oidc** and click on the **+** icon on the right hand side. +3. Configure the auth-oidc plugin with the following configuration values: + +- Set the `Auto-discovery URL` to `https://authentik.company/application/o/xenorchestra/.well-known/openid-configuration`. +- Set the `Client identifier (key)` to the Client ID from your notes. +- Set the `Client secret` to the Client Secret from your notes. +- Check the `Fill information (optional)`-Checkbox to open the advanced menu. +- Set the `Username field` to `username` +- Set the `Scopes` to `openid profile email` + +4. Enable the `auth-oidc`-Plugin by toggling the switch above the configuration. +5. You should be able to login with OIDC. + +:::note +The first time a user signs in, Xen Orchesta will create a new user with the same username used in authentik. If you want to map the users by their e-mail-address instead of their username, you have to set the `Username field` to `email` in the Xen Orchestra plugin configuration. +::: diff --git a/website/sidebarsIntegrations.js b/website/sidebarsIntegrations.js index a7b3396880b3..8f836d31952f 100644 --- a/website/sidebarsIntegrations.js +++ b/website/sidebarsIntegrations.js @@ -63,6 +63,7 @@ module.exports = { "services/portainer/index", "services/proxmox-ve/index", "services/rancher/index", + "services/xen-orchestra/index", "services/vmware-vcenter/index", ], },