Authentication Providers

Learn about authentication providers available in Endor Labs.

Authentication through Endor Labs is done through an external identity provider. Some authentication mechanisms are generally designed for human users, while others are designed for machine identities.

Endor Labs supports the following authentication mechanisms for human users.

  • Google - Authentication is provided through a users Google workspaces or Gmail account.
  • GitHub - Authentication is provided through a users GitHub account.
  • GitLab - Authentication is provided through a users GitLab account.
  • Email - Authentication is provided through an email link sent to a user.
  • Custom Identity Providers - An enterprise identity provider such as Okta or VMware One, which uses SAML or OIDC protocol. See Custom identity providers for more information.

The following authentication mechanisms designed for machine identities, such as continuous integration or automation systems, are supported.

  • Google Cloud - With Google Cloud workload identity federation service accounts may be used to federate identity to Endor Labs. See Keyless authentication for more information.
  • GitHub Action OIDC - With GitHub Action OIDC you can federate the identity of your workloads to Endor Labs. See Keyless authentication for more information.
  • AWS Role - With AWS identity federation your can use the AWS ARN of the role acts as the identity of a machine user. See Keyless authentication for more information.

Session duration

The duration of the session token determines how long a user stays authorized in Endor Labs. At the end of the session duration, the user authentication is invalidated and requires reauthentication by the user.

The default duration of the session token is four hours, if you have not set the session duration in your IdP. Endor Labs honors the session duration set in the IdP, after which the user needs to reauthenticate. You can set the session duration in the SessionNotOnOrAfter attribute for SAML. The token expiration claims (exp) control the session duration in OIDC.

Session duration cannot be more than four hours. If you configure a session duration for more than four hours in the IdP, the session duration defaults to four hours.