SAML Authentication

rfprado

Hello buddies,

I successfully installed Bacula on Rocky Linux 9.4, and then I thought I could set up SAML to authenticate users into the Bacula frontend.

Bacularis connects remotely with the Bacula Server and MySQL database on another instance. However, although the documentation shows how to set up OAuth2 (https://bacularis.app/doc/api/authorization.html), it's not very clear to me how to configure the authentication feature.

Is there other documentation, a manual, or a wiki that explains this in steps with an example?

Bacula is a huge backup solution and ought to have a flexible way to authenticate, authorize, and account for access from different sources.

gani

Hello @rfprado,

Welcome to the Bacularis User Group.

Thank you for your feature request and question about authentication.

For the SAML authentication, we need some time to check it and decide for this feature request. We will let know here about the result.

For the authentication, the user settings (with roles, access, restrictions and others) you can find on the web interface in this path:

[Main menu] => [Page: Security]

Currently we support three authentication methods:

Local user (default)
HTTP Basic
LDAP

You can read about them here:

https://bacularis.app/doc/brief/configuration.html#authentication

The access to the web interface can be full or restricted on two basic levels:

Access to pages (dashboard, job list, client list, graphs ...etc.)
Access to Bacula resources (jobs, clients, storage ...etc.)

Both levels can be used together or separately. For example we can limit user access to pages or to Bacula resources or to both.

Here you can read about it:

Page access: https://bacularis.app/doc/users/page-access.html
Bacula resources accces: https://bacularis.app/doc/users/resource-access.html
Examples: https://bacularis.app/doc/users/access-examples.html

For your question about OAuth2, this can be configured to communicate between web interface <=> API. By default the web interface <=> API communication goes through HTTP Basic authentication. Web interface have own user accounts that are linked with API accounts through the API hosts feature. API hosts are something like connection between the web interface and API. The API hosts do not mean that they have to be remote hosts, because API hosts can be also created to the same local API instance. The documentation chapter about the API hosts you can find here:

https://bacularis.app/doc/remote/basic.html

Good luck!

Best regards,
Marcin Haba (gani)