Authentication via OpenID Connect/OAuth 2.0 and Single Sign-On

Bacula Enterprise Only

This solution is only available for Bacula Enterprise. For subscription inquiries, please reach out to sales@baculasystems.com.

BWeb supports delegated authentication through OpenID Connect (OIDC), built on top of the OAuth 2.0 protocol. With this integration, users authenticate with an external identity provider (IdP), and BWeb receives verified identity and group information to authorize access. This keeps credential management inside your IdP, while BWeb focuses on authorization and role mapping.

Roles defined in BWeb can be associated with IdP groups. Those group claims are forwarded by OAuth2-Proxy as HTTP headers, which BWeb interprets to grant or deny access to specific actions.

By leveraging OIDC, BWeb can deliver a Single Sign-On (SSO) experience. Users authenticate once with the IdP and can access BWeb from the IdP dashboard with a single click. This is particularly valuable in enterprise environments where BWeb is one of several applications connected to a central identity platform.

Because authentication is handled by your IdP, you can enforce corporate security controls such as multi-factor authentication, conditional access, and centralized auditing without changing BWeb itself.

BWeb integrates with OIDC using OAuth2-Proxy, an open-source reverse proxy that implements the OIDC/OAuth 2.0 flows and forwards only authorized requests to BWeb. The integration is designed to work with any standards-compliant IdP. It has been validated with Okta, Microsoft Entra ID, and Keycloak, and the same approach applies to other providers with minor adjustments.

For best results, follow this documentation in order: concepts, architecture/requirements, provider configuration, installation, then usage and troubleshooting.

Authentication via OpenID Connect/OAuth 2.0 and Single Sign-On

Article Map