Single Sign-On (SSO)

Single sign-on (SSO) enables users to authenticate with multiple applications by logging in only once.

Under construction

This guide is a work in progress.

As an example, GitLab offers the following experience as an Identity Provider:

  1. The user logs in to GitLab for the first time, typing their credentials.
  2. The user navigates to Kubeflow, which is an OIDC Client to GitLab.
  3. Kubeflow initiates an OIDC flow to authenticate the user, redirecting them to GitLab to sign in.
  4. GitLab recognises the user is signed in, because it has stored a session cookie in the user’s browser.
  5. The user is not asked to type their credentials. They may be asked to authorize the application to access their identity (configurable).
  6. After granting access to Kubeflow, the user is logged in and redirected to Kubeflow.

What’s Next

The next guide explains how to enforce Single Logout (SLO) for Kubeflow.