<!doctype html><htmllang=enclass=no-js><head><metacharset=utf-8><metaname=viewportcontent="width=device-width,initial-scale=1"><metaname=descriptioncontent="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><linkhref=https://wgportal.org/master/documentation/usage/authentication/rel=canonical><linkhref=../backends/rel=prev><linkhref=../user-sync/rel=next><linkrel=iconhref=../../../assets/images/favicon-large.png><metaname=generatorcontent="mkdocs-1.6.1, mkdocs-material-9.7.6"><title>Authentication - WireGuard Portal</title><linkrel=stylesheethref=../../../assets/stylesheets/main.484c7ddc.min.css><linkrel=stylesheethref=../../../assets/stylesheets/palette.ab4e12ef.min.css><linkrel=stylesheethref=../../../stylesheets/extra.css><linkrel=stylesheethref=../../../stylesheets/img-comparison-slider.css><script>__md_scope=newURL("../../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><metaproperty=og:typecontent=website><metaproperty=og:titlecontent="Authentication - WireGuard Portal"><metaproperty=og:descriptioncontent="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><metaproperty=og:imagecontent=https://wgportal.org/master/assets/images/social/documentation/usage/authentication.png><metaproperty=og:image:typecontent=image/png><metaproperty=og:image:widthcontent=1200><metaproperty=og:image:heightcontent=630><metacontent=https://wgportal.org/master/documentation/usage/authentication/property=og:url><metaproperty=twitter:cardcontent=summary_large_image><metaproperty=twitter:titlecontent="Authentication - WireGuard Portal"><metaproperty=twitter:descriptioncontent="Manage WireGuard Peers and Interface using a beautiful and simple web UI."><metaproperty=twitter:imagecontent=https://wgportal.org/master/assets/images/social/documentation/usage/authentication.png></head><bodydir=ltrdata-md-color-scheme=defaultdata-md-color-primary=whitedata-md-color-accent=indigo><inputclass=md-toggledata-md-toggle=drawertype=checkboxid=__drawerautocomplete=off><inputclass=md-toggledata-md-toggle=searchtype=checkboxid=__searchautocomplete=off><labelclass=md-overlayfor=__drawer></label><divdata-md-component=skip><ahref=#password-authenticationclass=md-skip> Skip to content </a></div><divdata-md-component=announce></div><divdata-md-color-scheme=defaultdata-md-component=outdatedhidden></div><headerclass=md-headerdata-md-component=header><navclass="md-header__inner md-grid"aria-label=Header><ahref=../../..title="WireGuard Portal"class="md-header__button md-logo"aria-label="WireGuard Portal"data-md-component=logo><imgsrc=../../../assets/images/logo.svgalt=logo></a><labelclass="md-header__button md-icon"for=__drawer><svgxmlns=http://www.w3.org/2000/svgviewbox="0 0 24 24"><pathd="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg></label><divclass=md-header__titledata-md-component=header-title><divclass=md-header__ellipsis><divclass=md-header__topic><spanclass=md-ellipsis> WireGuard Portal </span></div><divclass=md-header__topicdata-md-component=header-topic><spanclass=md-ellipsis> Authentication </span></div></div></div><labelclass="md-header__button md-icon"for=__search><svgxmlns=http://www.w3.org/2000/svgviewbox="0 0 24 24"><pathd="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg></label><divclass=md-searchdata-md-component=searchrole=dialog><labelclass=md-search__overlayfor=__search></label><divclass=md-search__innerrole=search><formclass=md-search__formname=search><inputtype=textclass=md-search__inputname=queryaria-label=Searchplaceholder=Searchautocapitalize=offauto
</code></pre></div><p>Replace <code><external_url></code> with the value configured in <ahref=../../configuration/overview/#external_url><code>external_url</code></a> and <code><provider_name></code> with the exact <code>provider_name</code> from the matching OAuth2 or OIDC provider configuration.</p><h4id=limiting-login-to-specific-domains>Limiting Login to Specific Domains</h4><p>You can limit the login to specific domains by setting the <code>allowed_domains</code> property for OAuth2 or OIDC providers. This property is a comma-separated list of domains that are allowed to log in. The user's email address is checked against this list. For example, if you want to allow only users with an email address ending in <code>outlook.com</code> to log in, set the property as follows:</p><divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div><h4id=limiting-login-to-specific-user-groups>Limiting Login to Specific User Groups</h4><p>You can limit the login to specific user groups by setting the <code>allowed_user_groups</code> property for OAuth2 or OIDC providers. If this property is not empty, the user's <code>user_groups</code> claim must contain at least one matching group.</p><p>To use this feature, ensure your group claim is mapped via <code>field_map.user_groups</code>.</p><divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div><p>If <code>allowed_user_groups</code> is configured and the authenticated user has no matching group in <code>user_groups</code>, login is denied.</p><p>Minimal deny-by-group example:</p><divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div><h4id=limit-login-to-existing-users>Limit Login to Existing Users</h4><p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for OAuth2 or OIDC providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p><h4id=admin-mapping>Admin Mapping</h4><p>You can map users to admin roles based on their attributes in the OAuth2 or OIDC provider. To do this, set the <code>admin_mapping</code> property for the provider. Administrative access can either be mapped by a specific attribute or by group membership.</p><p><strong>Attribute specific mapping</strong> can be achieved by setting the <code>admin_value_regex</code> and the <code>is_admin</code> property. The <code>admin_value_regex</code> property is a regular expression that is matched against the value of the <code>is_admin</code> attribute. The user is granted admin access if the regex matches the attribute value.</p><p>Example: <divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div> The example above will grant admin access to users with the <code>wg_admin_prop</code> attribute set to <code>true</code>.</p><p><strong>Group membership mapping</strong> can be achieved by setting the <code>admin_group_regex</code> and <code>user_groups</code> property. The <code>admin_group_regex</code> property is a regular expression that is matched against the group names of the user. The user is granted admin access if the regex matches any of the group names.</p><p>Example: <divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div> The example above will grant admin access to users who are members of the <code>the-admin-group</code> group.</p><h2id=ldap-authentication>LDAP Authentication</h2><p>WireGuard Portal supports LDAP authentication. You can use any LDAP server that supports the LDAP protocol, such as Active Directory or OpenLDAP. Multiple LDAP servers can be configured in the <ahref=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file. WireGuard Portal remembers the authentication provider of the user and therefore avoids conflicts between multiple LDAP providers.</p><p>To configure LDAP authentication, create a new <ahref=../../configuration/overview/#ldap><code>ldap</code></a> authentication provider in the <ahref=../../configuration/overview/#auth><code>auth</code></a> section of the configuration file.</p><h3id=limiting-login-to-specific-users>Limiting Login to Specific Users</h3><p>You can limit the login to specific users by setting the <code>login_filter</code> property for LDAP provider. This filter uses the LDAP search filter syntax. The username can be inserted into the query by placing the <code>{{login_identifier}}</code> placeholder in the filter. This placeholder will then be replaced with the username entered by the user during login.</p><p>For example, if you want to allow only users with the <code>objectClass</code> attribute set to <code>organizationalPerson</code> to log in, set the property as follows:</p><divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
</code></pre></div><p>The <code>login_filter</code> should always be designed to return at most one user.</p><h3id=limit-login-to-existing-users_1>Limit Login to Existing Users</h3><p>You can limit the login to existing users only by setting the <code>registration_enabled</code> property to <code>false</code> for LDAP providers. If registration is enabled, new users will be created in the database when they log in for the first time.</p><h3id=admin-mapping_1>Admin Mapping</h3><p>You can map users to admin roles based on their group membership in the LDAP server. To do this, set the <code>admin_group</code> and <code>memberof</code> property for the provider. The <code>admin_group</code> property defines the distinguished name of the group that is allowed to log in as admin. All groups that are listed in the <code>memberof</code> attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.</p><h3id=interface-specific-provisioning-filters>Interface-specific Provisioning Filters</h3><p>You can restrict which users are allowed to provision peers for specific WireGuard interfaces by setting the <code>interface_filter</code> property. This property is a map where each key corresponds to a WireGuard interface identifier, and the value is an LDAP filter. A user will only be able to see and provision peers for an interface if they match the specified LDAP filter for that interface.</p><p>Example: <divclass=highlight><pre><span></span><code><spanclass=nt>auth</span><spanclass=p>:</span>
