Kong can verify the identity of all users with Basic
Authentication or LDAP Authentication Advanced.
⚠️ IMPORTANT: Before enabling authentication, ensure that you
have at least one Super Admin account. You may have set one up during
the Quick Start,
or you can set one up on the Organization page of Kong Manager.
How to Set Up a Super Admin
Go to the “Organization” tab in Kong Manager.
Click “+Invite User” and fill out the form.
Give the user the super-admin role in the default workspace.
Return to the “Organization” page, and in the “Invited” section, click
the email address of the user in order to view them.
Click “Generate Registration Link”.
Copy the link for later use after completing the account setup.
How to Enable Basic Authentication
To enable Basic Authentication, configure Kong with the following properties:
enforce_rbac = on
admin_gui_auth = basic-auth
$ kong start [-c /path/to/kong/conf]
How to Log In
If you created a Super Admin via database migration as per the
guide, log in to Kong Manager with the username kong_admin and the password
set in the environment variable.
If you created a Super Admin via the Kong Manager “Organization” tab, browse
to the registration link you copied in
“How to Set Up a Super Admin”
, Step 4.
Fill out the form to create your basic auth credentials. Now you can log in.
Authentication Stored in Local Storage
Kong Manager uses the
Local Storage API
to store and retrieve the RBAC token, parameters, and headers. Local Storage is
saved on every successful login, and it is retrieved on every Kong Manager API
XHR request based on the auth-store-types value until you log out.
⚠️ IMPORTANT: Information in Local Storage, including the current
user’s RBAC token, is stored in the browser via base64-encoding, but
is not encrypted. Therefore, it advised that you always use SSL/TLS to
encrypt your Kong Manager traffic.
How to Log Out and Log In
Hover over the account name at the top right, and click the “Logout” button.
This will clear the Local Storage authentication data (if exists) and redirect
to the login page.
Ensure you are logged out before attempting to log in with a different
account. Visit Kong Manager, where you will be prompted with a login form.
When you submit the login form, Kong Manager will make a request against the
Admin API using the specified admin_gui_auth with the data in the form. For
instance, if you have basic-auth enabled, then the form will submit with the
Authorization header; e.g., Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=.
If successful, the RBAC token associated with this Admin will be stored
locally and used for subsequent browser requests.
The LDAP Authentication Advanced plugin
allows Admins to use their own LDAP server to bind authentication to the Admin
API with username and password protection. Note: You must use Basic as your
header_type in the admin_gui_auth_config Kong configuration. To implement
this (and any other) configuration, restart Kong after saving changes to
admin_gui_auth = ldap-auth-advanced
enforce_rbac = on
The values above can be replaced with their corresponding values for your custom
<ENTER_YOUR_BIND_DN_HERE> - Your LDAP Bind DN (Distinguished Name)
* Used to perform LDAP search of user. This bind_dn should have
permissions to search for the user being authenticated.
* For Example, uid=einstein,ou=scientists,dc=ldap,dc=com
<ENTER_YOUR_BASE_DN_HERE> - Your LDAP Base DN (Distinguished Name)
* For Example, ou=scientists,dc=ldap,dc=com
<ENTER_YOUR_LDAP_HOST_HERE> - LDAP Host domain
* For Example, ec2"-XX-XXX-XX-XXX.compute-1.amazonaws.com
After you have updated your configuration and restarted Kong, you will now be
able to login to Kong Manager with a username and password validated against
your remote LDAP server.