Configure User Authentication

Configuring user authentication can be accessed in the navigation pane, then Administration -> Configuration -> Authentication tab.

Once you created your account as a system admin, you can choose between four methods of user authentication that will also specify how you add and manage users in your instance.

The difference between the four methods is how identity management, user authentication, and authorization are performed: locally, using an external server, or an external provider.

  • Identity management keeps user account data such as their user names and IDs;
  • User authentication procedure proves the user identity;
  • User authorization enables authenticated users to perform certain actions.

Considering these differences, you can configure one of the following authentication modes:

  • database mode: the user accounts are created and managed using the Container Registry GUI; authentication happens by comparing their credentials against the data in this local database;
  • UAA mode: you will need an external user identity, authentication, and authorization provider or server; it will keep the user data, perform user authentication, and communicate the result of such authentication back to the Container Registry instance;
  • LDAP/AP mode: you will need an external LDAP/AD server where the new user accounts will be created and managed and that will perform user authentication;
  • OIDC mode: similarly to UAA, user accounts will be created and managed by a Single Sign-On provider, and this provider will perform user authentication.

When you sign up for the first time as a system admin, the database mode is activated by default. Before you start adding new users in this mode, you can switch to a different one.

Restrictions on Switching Between User Authentication Modes

As you may know, generally, you can always migrate your user accounts from an LDAP/Active directory server to a OpenID provider. The steps depend on the latter. Most OIDC providers, such as Google, Azure, etc, provide tools for migrating user accounts with functionalities for matching user records. Once you’ve done the migration, you can switch the user authentication mode in the Container Registry administration console.

Switching the authentication mode between the internal database (database mode) and LDAP/OIDC is only possible without users in the system. Before you can switch to a different authentication method, the system admin (admin) needs to delete all users manually in the UI or via API.

It is also not possible to export or migrate user accounts from the Container Registry GUI.

Unauthenticated Users Landing Page

By default, users who are not logged in are redirected to the login page. You can change this behaviour so that unauthenticated users land on the Public Projects page instead, allowing them to browse public repositories without being prompted to log in first.

This is particularly useful for public-registry deployments — for example, when OIDC is enabled and you want anonymous users to be able to discover and pull public images without being forced through an authentication flow.

Configure the Landing Page

  • In the navigation pane on the left, select Administration;
  • Click on Configuration;
  • Select the Authentication tab;
  • Locate the Unauthenticated Users Landing Page dropdown;
  • Select one of the available options:
    • Login Page — unauthenticated users are directed to the login page (default);
    • Public Projects Page — unauthenticated users are directed to the public projects listing;
  • Click Save.