Auth Providers

Each tenant in RAMP can have its own set of authentication providers. Users authenticate through the provider configured for their tenant, enabling different organizations to use their existing identity infrastructure.

Supported Provider Types

Provider	Description	Use Case
RAMP Internal	Username and password stored in the RAMP database	Small teams, testing, standalone deployments
LDAP	LDAP or Active Directory authentication	Enterprise environments with existing AD infrastructure
OIDC (OpenID Connect)	Azure AD, Keycloak, Okta, Auth0, Authentik	Cloud-first organizations, SSO requirements
Windows Auth	Windows Integrated Authentication (IIS/Kerberos)	Intranet deployments in Windows environments

Tip

A tenant can have multiple authentication providers configured simultaneously. For example, you might configure OIDC for most users while keeping RAMP Internal as a fallback for service accounts.

Adding an Auth Provider

1. Navigate to Tenants, then select the tenant you want to configure.
2. Open the Auth Providers tab.
3. Click Add Provider.
4. Select the provider type.
5. Configure the provider-specific settings (see sections below).
6. Click Test Connection to verify the configuration.
7. Click Save.

Configuring RAMP Internal

RAMP Internal authentication stores usernames and passwords directly in the RAMP database. No additional configuration is required beyond enabling the provider.

This provider is useful for:

• Local administrator accounts
• Service accounts
• Development and testing environments
• Deployments without external identity infrastructure

Configuring LDAP

LDAP authentication connects RAMP to an existing LDAP directory or Active Directory.

Required settings:

Setting	Description	Example
Server	LDAP server hostname or IP	ldap.example.com
Port	LDAP port number	389 (LDAP) or 636 (LDAPS)
Base DN	Base distinguished name for user searches	dc=example,dc=com
User Filter	LDAP filter to locate user accounts	(sAMAccountName={0})
Bind DN	Distinguished name for the bind account	cn=svc-ramp,ou=services,dc=example,dc=com
Bind Password	Password for the bind account	(secret)
Use SSL	Enable SSL/TLS for the connection	true for port 636

Caution

The bind account needs read access to the directory. Avoid using a domain administrator account. Create a dedicated service account with minimal privileges.

Configuring OIDC (OpenID Connect)

OIDC authentication integrates RAMP with modern identity providers that support the OpenID Connect protocol.

Required settings:

Setting	Description	Example
Authority URL	The OIDC issuer URL	https://keycloak.example.com/realms/myrealm
Client ID	The OAuth2 client identifier	ramp-client
Client Secret	The OAuth2 client secret	(secret)
Scopes	Requested OAuth2 scopes	openid profile email

Keycloak

1. Create a new client in Keycloak with Client authentication enabled.
2. Set the Valid redirect URIs to your RAMP URL followed by /_auth/callback.
3. Copy the Client ID and Client Secret to RAMP.
4. The Authority URL follows the pattern: https://keycloak.example.com/realms/{realm}

Azure AD / Entra ID

1. Register an application in the Azure portal under App registrations.
2. Create a client secret under Certificates & secrets.
3. Configure the redirect URI to your RAMP URL followed by /_auth/callback.
4. The Authority URL follows the pattern: https://login.microsoftonline.com/{tenant-id}/v2.0

Okta

1. Create an OIDC application in the Okta admin console.
2. Set the sign-in redirect URI to your RAMP URL followed by /_auth/callback.
3. Copy the Client ID and Client Secret.
4. The Authority URL follows the pattern: https://{domain}.okta.com

Authentik

1. Create a new OAuth2/OpenID Provider in Authentik.
2. Set the redirect URI to your RAMP URL followed by /_auth/callback.
3. Copy the Client ID and Client Secret.
4. The Authority URL follows the pattern: https://authentik.example.com/application/o/{app-slug}/

OIDC Directory Browsing

By default, RAMP only sees external IDP users after they have logged in at least once (CachedOnly mode). When directory browsing is enabled, RAMP can search users and groups directly from the identity provider.

Enabling Directory Browsing

For OIDC providers that expose Admin APIs (Keycloak, Entra ID, Okta, Authentik), you can enable full directory browsing:

1. Open the OIDC connection settings for the tenant.

2. Enter the Admin API Endpoint for your provider:

   Provider	Admin API Endpoint
   Keycloak	https://keycloak.example.com/admin/realms/{realm}
   Entra ID	https://graph.microsoft.com/v1.0
   Okta	https://{domain}.okta.com/api/v1
   Authentik	https://authentik.example.com/api/v3

3. Ensure the OAuth2 client has the necessary API permissions for your provider.

4. Save the configuration.

After saving, the connection mode changes from CachedOnly to FullBrowse, and you can search for users and groups directly from the provider.

CachedOnly vs. FullBrowse

Feature	CachedOnly	FullBrowse
See users who have logged in	Yes	Yes
Search all provider users	No	Yes
Browse provider groups	No	Yes
Sync groups from provider	No	Yes
Requires Admin API endpoint	No	Yes
Requires additional API permissions	No	Yes

Note

Even in CachedOnly mode, users are automatically provisioned as tenant members when they first log in through the configured OIDC provider.

Configuring Windows Auth

Windows Integrated Authentication uses Kerberos or NTLM for seamless authentication in Windows environments.

Required settings:

Setting	Description	Example
Domain	Windows domain name	EXAMPLE

Note

Windows Auth requires the RAMP API to be hosted on IIS with Windows Authentication enabled at the server level. It is not available in Docker or Linux deployments.

Testing a Provider

After configuring a provider, always test the connection before relying on it:

1. Click Test Connection on the provider configuration page.
2. For LDAP: RAMP will attempt to bind to the directory with the configured credentials.
3. For OIDC: RAMP will validate the authority URL and fetch the OpenID Connect discovery document.
4. Review the test results for any errors.

Tip

If testing fails, verify network connectivity between the RAMP server and the identity provider. Check firewall rules, DNS resolution, and that the provider is reachable from the server.

Managing Existing Providers

Editing a Provider

Navigate to the tenant’s Auth Providers tab, click on the provider, modify the settings, and save. Test the connection after making changes.

Removing a Provider

Removing an authentication provider prevents users from logging in through that provider. Users who have previously authenticated through the removed provider will retain their RAMP accounts but will need to use an alternative provider.

Caution

Ensure at least one functional authentication provider remains configured before removing a provider, or users will be unable to log in.

Next Steps

After configuring authentication providers, configure the auth settings to control the default login behavior for the tenant.

Related topics

Auth Settings Configure the default identity provider and login behavior per tenant

Authentication Overview Understand the authentication architecture and supported provider types