External Authentication

Extend Portainer and Allow OAuth Based Single Sign On

In the modern IT environment, security has become of paramount concern. Traditionally, access control to critical systems was implemented at user level through strict enforcement of lengthy, complex passwords, that must be changed often. This has resulted in a massive duplication of credentials-based systems, and has led to a complicated, brittle, user-toxic arrangement where at best, a user is expected to maintain many strong different passwords, and at worst, a user becomes a vulnerability through poor password choice, or password re-use.

Increasingly intelligent authorization through token-based standards has allowed access to a wide range of enhanced, cloud based, security and authorization solutions implemented through API’s for almost any application requirement. With the introduction of our External Authentication extension, Portainer is pleased to provide OAuth based industry standard authentication as an enhancement to the open source Portainer CE toolset.

The External Authentication extension is designed to assist all users in securing access to the power of the Portainer CE toolset, without having to maintain a disparate list of users and passwords within the product. Prior to this extension, all user credentials needed to be manually updated as staff changed.

Additionally, in a corporate setting, the manual synchronization between credentials used within Portainer and the corporate security directory is cumbersome and having to pre-create all accounts in Portainer is an operational burden at scale. With this extension, these issues are avoided and the creation of yet another username and password combination avoided.

Multi-factor authentication has become table-stakes in securing access to software. MFA is the standard approach to validating that an actual authorised user is accessing a system. In the absence of MFA, systems (like Portainer) simply assume that use of a valid login name and password are proof of authorization. By implementing an OAuth based external authorization extension, Portainer users can access any number of third-party MFA solutions.


  • Portainer can delegate the responsibility for authentication to a trusted 3rd party. To make this even easier Portainer External Authentication is pre-configured for Microsoft, Google or Github. Portainer External Authentication also allows for custom connections to other OAuth based systems.
  • Portainer grants access based upon confirmation tokens received from external authorization systems. During the login process, Portainer redirects a user to the trusted party, whereby they are authenticated, and then that provider sends back a “confirmation” token.
  • Because the trusted external party handles all elements of the authentication process, the third party can also apply any number of user validation checks, such as multi-factor authentication, where the user must provide a second form of identity confirmation. Through the OAuth standard this may be via a token, SMS one time password, or more sophisticated systems such as phone based voice recognition or a biometric check.
  • User accounts within Portainer are automatically created once a user is successfully authenticated, so there is no need to pre-create accounts
  • When a user’s role changes or they exit the business, corporate off-boarding will generally handle the disablement of the primary authentication. This means that Portainer also immediately blocks access and there is no need to delete users or change the password.
  • Once the External Authentication extension is enabled, credentials are no longer held within Portainer. This increases the security stance overall, and means users never need to remember credentials for Portainer.

The Portainer development team has implemented the OAuth open standard. OAuth has become the gold standard in identity validation. It's the standard that the internet uses across all modern applications, and it’s the standard that cloud providers use when creating SaaS applications.

With large numbers of organisations moving to either Office365 or Google gSuite, there are already many organizations already OAuth enabled, already taking advantage of centralized identity management. While SAML, LDAP and Kerberos are still in use as alternative primary user authentication protocols, these are not built for large scale distributed applications and are unable to easily be consumed by 3rd party applications. As application landscapes are changing, these protocols are decreasing in their use and popularity.

Please note that Portainer Version 1.20.2 (or later) is required to support the External Authentication extension.

For a brief overview of the External Authentication extension, please click here

Extension subscriptions are available from the Extensions menu in the sidebar of the Portainer app. Alternatively, purchase a license for the External Authentication extension here. The External Authentication extension is licensed per Portainer instance per year. Upon completion of the purchase process the appropriate license will be emailed automatically.

Portainer is unable to offer a trial license on this product. However a 90 day money back guarantee applies to all purchases.

To download the user guides for the External Authentication extension, please click here

Business Support Services

Take advantage of our cost effective support options to keep your Portainer environments running smoothly

Learn more

Technical Documentation

Access the detailed function reference here

Learn more

Professional Services

Engage with the Portainer Team to manage your container platform, or get design and build assistance from the experts.

Learn more