Auth providers

CTFreak provides a flexible authentication system that supports both internal users and external authentication providers.

Authentication Providers

Users in CTFreak are grouped by authentication providers:

  • Internal authentication provider: A single provider called “Internal users”, which lets you add internal/local users one by one with username and password authentication.
  • External authentication providers: Multiple providers can be configured to delegate user authentication via SSO (Single Sign-On), supporting standards like OpenID Connect.

Only administrators can create, edit, or delete authentication providers.

Important: There must be at least one internal administrator user to ensure you don’t lose access to CTFreak when external authentication providers are temporarily unavailable.

User Authentication Flow

  1. Internal users authenticate directly with CTFreak using their username and password.
  2. External users are redirected to their authentication provider (e.g., Google, Microsoft, Okta) for authentication and then returned to CTFreak.
  3. On first login with an external provider, a new user account is automatically created in CTFreak.
  4. New users have no roles by default and will need an administrator to directly assign appropriate roles or add them to teams with roles.

Adding an Internal User

To add an internal user:

  1. Log in to the UI as an administrator
  2. Go to People → Users → New user
  3. Complete the form with the required information (name, password, …)

Adding an External Authentication Provider

To add an external authentication provider:

  1. Log in to the UI as an administrator
  2. Go to Settings → Authentication → New auth provider
  3. Complete the form with the required information

Provider Type

Currently, CTFreak supports OpenID Connect as the authentication method. This standard is compatible with many identity providers including:

  • Google
  • Microsoft Azure AD
  • Salesforce
  • Keycloak
  • And many others that implement the OpenID Connect standard

Provider Configuration

When setting up an OpenID Connect provider, you’ll need to provide:

  • Name: The name displayed on the login page (“Connect with…”)
  • Client ID: Obtained from your identity provider
  • Client Secret: Obtained from your identity provider
  • Discovery endpoint: The OpenID Connect discovery endpoint (usually ends with .well-known/openid-configuration)