Single Sign-on


Kalm's Single Sign-on (SSO) system is based on the OIDC standard and is built on top of a set of widely used open source projects including Istio, Envoy, and dex. Istio CRDs are used to configure Envoy, ext_authz is used as a filter for protected endpoints. Dex acts as a portal to other identity providers.


The picture below summarizes the basic architecture of Kalm's SSO system. When you first install Kalm, both AuthProxy and Dex are setup automatically.

Any http traffic to your private components will first be checked by AuthProxy. If no valid authentication information is found, a redirect response(to authentication) is returned.

Authentication Flow

For a more detailed view, the following chart details the entire authentication process.

How to setup up SSO

Via Kalm Web Interface


Working in progress

Via kubectl


Working in progress

Last updated on by Scott Winges