Configure User Authentication

Configuring user authentication can be accessed in the navigation pane, then Administration -> Configuration -> Authentication tab.

Once you created your account as a system admin, you can choose between four methods of user authentication that will also specify how you add and manage users in your instance.

The difference between the four methods is how identity management, user authentication, and authorization are performed: locally, using an external server, or an external provider.

  • Identity management keeps user account data such as their user names and IDs;
  • User authentication procedure proves the user identity;
  • User authorization enables authenticated users to perform certain actions.

Considering these differences, you can configure one of the following authentication modes:

  • database mode: the user accounts are created and managed using the Container Registry GUI; authentication happens by comparing their credentials against the data in this local database;
  • UAA mode: you will need an external user identity, authentication, and authorization provider or server; it will keep the user data, perform user authentication, and communicate the result of such authentication back to the Container Registry instance;
  • LDAP/AP mode: you will need an external LDAP/AD server where the new user accounts will be created and managed and that will perform user authentication;
  • OIDC mode: similarly to UAA, user accounts will be created and managed by a Single Sign-On provider, and this provider will perform user authentication.

When you sign up for the first time as a system admin, the database mode is activated by default. Before you start adding new users in this mode, you can switch to a different one.

Restrictions on Switching Between User Authentication Modes

As you may know, generally, you can always migrate your user accounts from an LDAP/Active directory server to a OpenID provider. The steps depend on the latter. Most OIDC providers, such as Google, Azure, etc, provide tools for migrating user accounts with functionalities for matching user records. Once you’ve done the migration, you can switch the user authentication mode in the Container Registry administration console.


Switching the authentication mode between the internal database (database mode) and LDAP/OIDC is only possible without users in the system. Before you can switch to a different authentication method, the system admin (admin) needs to delete all users manually in the UI or via API.

It is also not possible to export or migrate user accounts from the Container Registry GUI.