For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
      • Upgrade Astronomer
      • Apply a config change
        • Integrate an auth system
        • Import IdP groups
        • Create a Workspace
        • User permissions
        • Platform user management
        • Integrate IAM roles
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Step 1: Register an application using App Registrations on Azure
  • Step 2: (Optional) Create a client secret
  • Step 3: Enable Microsoft Entra ID in your values.yaml file
  • Step 1: Configure Okta
  • Step 2: Integrate Okta with Astronomer Software
  • Step 1: Create an Auth0 tenant domain
  • Step 2: Create a connection between Auth0 and your identity management provider
  • Step 3: Configure Auth0 application settings
  • Step 4: Enable Auth0 in your values.yaml file
  • Step 1: Create a user pool in Cognito
  • Step 2: Edit your Astronomer configuration
  • Running behind an HTTPS proxy
  • Configure an HTTPS proxy server for Houston
  • Configure a custom OAuth flow
  • Step 1: Configure your authorization flow on Astronomer
  • Step 2: Configure your identity provider
  • Step 3: Confirm your installation
  • Manage users and Teams with SCIM
AdministrationUser access and management

Configure authentication and configure an identity provider on Astronomer Software

Edit this page
Built with

An auth system determines how users can log in to Astronomer Software. By default, Astronomer Software allows users to create an account and authenticate using one of the following methods:

  • Google OAuth
  • GitHub OAuth
  • Local username/password

Integrating an external identity provider (IdP) greatly increases the security of your platform. When you integrate your IdP into Astronomer Software:

  • Users no longer need to repeatedly login and remember credentials for their account.
  • You have complete ownership over credential configuration and management on Astro.
  • You can enforce multi-factor authentication (MFA) for users.

In addition to the default methods, Astronomer provides the option to integrate any IdP that follows the Open Id Connect (OIDC) protocol. This includes (but is not limited to):

  • Microsoft Entra ID
  • Okta
  • IdPs managed through Auth0
  • Amazon Cognito

After you integrate your IdP, you can invite users that already have an account on your IdP to Astronomer Software. For a more advanced integration, you can configure SCIM so that you can manage users directly from your IdP and import batches of users into Astronomer Software as Teams.

The following setups assume that you are using the default Astronomer implicit flow as your authorization flow. To implement a custom authorization flow, see Configure a Custom OAuth Flow.
Microsoft Entra ID
Okta
Auth0
AWS Cognito
Local auth
General OIDC

Step 1: Register an application using App Registrations on Azure

  1. In Microsoft Entra ID, click App registrations > New registration.

  2. Complete the following sections:

    • Name: Any
    • Supported account types: Accounts in this organizational directory only (Astronomer only - single tenant)
    • Redirect URIs:
      • Web / https://houston.BASEDOMAIN/v1/oauth/redirect/.
      • Web / https://houston.BASEDOMAIN/v1/oauth/callback/.

    Replace BASEDOMAIN with your own. For example, if your base domain is example.com, your redirect URIs should be https://houston.example.com/v1/oauth/redirect/ and https://houston.example.com/v1/oauth/callback/.

  3. Click Register.

  4. Click Authentication in the left menu.

  5. In the Web area, confirm the redirect URI is correct.

  6. In the Implicit grant and hybrid flows area, select Access tokens and ID tokens.

  7. Click Save.

authentication.png

Step 2: (Optional) Create a client secret

Complete this setup only if you want to import Microsoft Entra ID groups to Astronomer Software as Teams.

  1. In your Microsoft Entra ID application management left menu, click Certificates & secrets.

  2. Click New client secret.

  3. Enter a description in the Description field and then select an expiry period in the Expires list.

  4. Click Add.

  5. Copy the values in the Value and Secret ID columns.

  6. Click API permissions in the left menu.

  7. Click Microsoft Graph and add the following minimum permissions for Microsoft Graph:

    • email
    • Group.Read.All
    • openid
    • profile
    • User.Read

    For each of these permissions, select Grant Admin Consent for Astronomer Data. Your Microsoft Graph permissions should look similar to the following image:

    Completed permissions page in Azure

  8. Click Token configuration in the left menu.

  9. Click Add groups claim and select the following options:

    • In the Select group types to include in Access, ID, and SAML tokens area, select every option.
    • In Customize token properties by type area, expand ID, Access, and SAML and then select Group ID for each type.

  10. Click Add.

  11. Base64 encode the client secret retrieved from Microsoft with Linux or macOS terminal with the following command:

    $echo '<oauth-client-secret-value> | base64

  12. Create a Kubernetes Secret in the astronomer Namespace, or whichever Namespace where Houston is deployed, using the following YAML as an example:

1# Required configuration for all secrets
2kind: Secret
3apiVersion: v1
4metadata:
5     name: oauth-client-secret
6type: Opaque
7# Specify a key and value for the data you want to encrypt
8data:
9    client_secret:  "<encoded-client-secret-value>"
  1. Apply the Kubernetes Secret with kubectl apply -n astronomer -f <filename>.yaml

Step 3: Enable Microsoft Entra ID in your values.yaml file

Add the following values to your values.yaml file:

1astronomer:
2  houston:
3    # Add/extend astronomer.houston.secret section if using IDP Group Sync
4    #secret:
5    #  - envName: "AUTH__OPENID_CONNECT__MICROSOFT__CLIENT_SECRET"
6    #    secretName: "oauth-client-secret"
7    #    secretKey: "client_secret"
8    config:
9      auth:
10        openidConnect:
11          flow: "code"
12          google:
13            enabled: false
14          microsoft:
15            enabled: true
16            clientId: <your-client-id>
17            discoveryUrl: https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
18            baseDomain: login.microsoftonline.com
19            authUrlParams:
20              audience: <your-client-id>
21        github:
22          enabled: false

Then, push the configuration change to your platform. See Apply a config change.

Running behind an HTTPS proxy

Integrating an external identity provider with Astronomer requires that the platform’s Houston API component is able to make outbound HTTPS requests to those identity providers in order to fetch discovery documents, sign keys, and ask for user profile information upon login/signup.

If your install is configured without a direct connection to the internet you will need to configure an HTTPS proxy server for Houston.

Configure an HTTPS proxy server for Houston

To configure the proxy server used we need to set the GLOBAL_AGENT_HTTPS_PROXY Environment Variable for the Houston deployment.

To do so, add the following to the Houston section of the values.yaml file in your astronomer directory:

1astronomer:
2  houston:
3    config:
4      auth:
5        openidConnect:
6          custom:
7            enabled: true
8            displayName: My Oauth Provider
9            clientId: ...
10            discoveryUrl: ...
11    env:
12      - name: GLOBAL_AGENT_HTTPS_PROXY
13        value: http://my-proxy:3129

Then, push the configuration change to your platform as described in Apply a config change.

Configure a custom OAuth flow

Starting with Astronomer v0.27, you can set up a custom OAuth authorization flow as an alternative to Astronomer’s default implicit flow. You can customize Astronomer’s existing Okta, Google, and GitHub OAuth flows or import an entirely custom OAuth flow.

This setup must be completed only during a scheduled maintenance window. There should be no active users on your installation until the setup has been finalized.

Step 1: Configure your authorization flow on Astronomer

To use a custom Oauth authorization code flow:

  1. In your values.yaml file, set the astronomer.houston.config.auth.openidConnect.flow value to "code":

    1astronomer:
    2  houston:
    3    config:
    4      auth:
    5        # Local database (user/pass) configuration.
    6        local:
    7          enabled: true
    8        openidConnect:
    9          # Valid values are "code" and "implicit"
    10          flow: "code"

  2. Configure the section of your values.yaml file specific to your identity provider with each of the following values:

    • enabled: Set this value to true under the section for your own identity provider.
    • clientId: Your Client ID and Client secret
    • discoveryURL: Your base Discovery URL
    • authUrlParams: Additional parameters to append to your discovery URL. At a minimum, you must configure audience. Refer to your identity provider’s documentation for information on how to find this value (Auth0 maintains this information in their glossary, for example).

    For example, a custom configuration of Okta might look like the following.

    1astronomer:
    2  houston:
    3    secret:
    4      - envName: "AUTH__OPENID_CONNECT__OKTA__CLIENT_SECRET"
    5        secretName: "oauth-client-secret"
    6        secretKey: "client_secret"
    7    config:
    8      auth:
    9        okta:
    10          enabled: true
    11          clientId: ffhsdf78f734h2fsd
    12          discoveryUrl: "https://<your-idp-url>.okta.com/oauth2/default/.well-known/openid-configuration"
    13          authUrlParams:
    14            audience: "GYHWEYHTHR443fFEW"
    1. Push your configuration changes to your platform as described in Apply a config change.

Step 2: Configure your identity provider

To finalize your configuration, configure the following key values in your identity provider’s settings:

  • Grant Code: Set to “Code” or “Auth Code” depending on your identity provider.
  • Sign-in Redirect URI: Set to https://houston.<BASE_DOMAIN>/v1/oauth/callback/. Be sure to include the trailing /.

Step 3: Confirm your installation

When you complete this setup, you should be able to see the differences in login flow when logging in at <BASE_DOMAIN>.astronomer.io.

If you configured a fully custom OAuth flow, you should see a new Log in with Custom Oauth button on the Astronomer login screen:

Custom login button on the Astronomer login screen

You can see the name you configured in AUTH__OPENID_CONNECT__CUSTOM__DISPLAY_NAME when authenticating using the Astro CLI.

Manage users and Teams with SCIM

Astronomer Software supports integration with the open standard System for Cross-Domain Identity Management (SCIM). Using the SCIM protocol with Astronomer Software allows you to automatically provision and deprovision users and Teams based on templates that define permission and accesses. It also centralizes user management so that you can configure Astronomer user permissions directly from your identity provider (IdP).

SCIM works because the IdP pushes updates about users and teams to Astronomer Software. This means your Astronomer Software platform must be connected to the internet and exposed on port 443 to receive those updates. If you run Astronomer Software without exposing it to the internet, there might be solutions with Microsoft Entra ID and Okta for routing SCIM traffic, depending on your combination of cloud provider and IdP. Contact Astronomer support for more information.
Okta
Microsoft Entra ID

  1. In Okta Admin dashboard, go to Applications > Applications.

  2. Click Browse App catalog

  3. Search for SCIM 2.0, then select the option that includes Basic Auth. The configuration page for the SCIM integration appears.

  4. Complete the General Settings page, then click Next.

  5. Complete the Sign-On Options page and click Done.

  6. Return to the Applications menu and search for the integration you just created. Click the integration to open its settings.

  7. Click Provisioning, then click Configure API integration.

  8. Tick the Enable API integration checkbox, then configure the following values:

    • SCIM connector base URL: https://astro-software-host/v1/scim/v2/okta
    • Authentication mode: Basic Auth
      • Username: <your-provisioning-account-username>
      • Password: <your-provisioning-account-password>

  9. Click General, then click Edit. Give your application a name and configure any other required general settings.

  10. Go to Push Groups page and create a rule for Group Push. See Group Push.

  11. On the Assignments tab, ensure that the right users and groups in your org are assigned to the app integration. See Use the Assign Users to App action.

  12. Follow the steps in Store and encrypt identity provider secrets to store your provisioning account credentials as a Kubernetes secret. Make sure to Base64 encode the credentials, as it is a requirement for Kubernetes secrets. This can be done using the Linux or macOS terminal with echo '<your-provisioning-account-username>:<your-provisioning-account-password> | base64. Your secret configuration should look similar to the following:

    1# Required configuration for all secrets
    2kind: Secret
    3apiVersion: v1
    4metadata:
    5     name: okta-provisioning-secret
    6type: Opaque
    7# Specify a key and value for the data you want to encrypt
    8data:
    9    okta_provisioning_account_secret: "<encoded-oauth-client-secret-value>"

  13. Add the following lines to your values.yaml file:

    1astronomer:
    2  houston:
    3    secret:
    4      - envName: "SCIM_AUTH_CODE_OKTA"
    5        secretName: "okta-provisioning-secret"
    6        secretKey: "okta_provisioning_account_secret"

  14. Push the configuration change. See Apply a config change.

See Add SCIM provisioning to app integrations for more information about configuring SCIM within Okta.