Problem/Justification
Currently, TrueNAS SCALE (including the 25.04 Fangtooth release) relies primarily on a local database (truenas_admin), traditional Active Directory, or LDAP for direct web UI dashboard access.
In modern infrastructure environments—ranging from structured corporate networks to security-focused homelabs—centralized identity providers (IdPs) like Azure AD / Microsoft Entra ID, Okta, and Keycloak are the gold standard. To protect the web UI with Single Sign-On (SSO) and mandatory Multi-Factor Authentication (MFA) today, administrators must resort to complex workarounds. These include deploying a dedicated TrueCommand cluster management instance or setting up an identity-aware reverse proxy (such as Authentik, Authelia, or Cloudflare Access) in front of the server.
These workarounds introduce unnecessary architecture complexity, additional points of failure, and can be clumsy to manage at the individual node level. A native OIDC client integration within TrueNAS SCALE would solve this security and administration gap completely.
Impact
Security & Compliance: Enables immediate, seamless enforcement of modern corporate security standards (Conditional Access policies, phishing-resistant MFA, and session timeouts) directly at the storage node interface.
- Centralized Access Control: Administrators can easily revoke or grant access to the TrueNAS dashboard via centralized group policies rather than updating local credentials across independent storage machines.
- Audit and Logging: Better compliance and tracking by linking admin dashboard actions directly to centralized identity logs.
- Broad Adaptability: By implementing OpenID Connect (OIDC) rather than a rigid vendor-specific plugin, TrueNAS automatically gains compatibility with all major providers (Azure Entra ID, Google Workspace, Keycloak, Okta, Authentik).
- Potential Disadvantages/Mitigations: If an identity provider goes offline, admins could lock themselves out. However, this is easily mitigated by retaining a local admin fallback login path (e.g., an “Emergency Local Login” option or a dedicated
/login?localquery string parameter).
User Story
Configuration: A TrueNAS administrator navigates to Credentials > Directory Services (or a new “Identity Providers” section) in the Web UI. They toggle on “Enable OpenID Connect” and input their IdP’s Client ID, Client Secret, and Tenant/Issuer URL generated from their Azure Entra ID App Registration.
- Authorization Mapping: The administrator defines a specific claim or group mapping (e.g., matching the OIDC token group claim
truenas-superadminsto the localadminrole permissions). - Authentication: The next time a team member visits the TrueNAS login page, they are presented with a clean “Sign in with SSO” button alongside the standard login box.
- Access: Clicking the button redirects the user to Microsoft’s official login portal. After completing their enterprise password and phone/token MFA prompt, Azure safely redirects them back to the TrueNAS dashboard, completely authenticated and authorized to manage the server.