AuthServer
Dashboard
Manage auth and authorization from the embedded admin UI.
The dashboard is admin UI inside your app. It covers AuthServer, Audit Logs, communications, and FGA.
Accessing the dashboard#
Default path is DashboardBasePath (/sqlos). Register SqlOS. Call app.MapSqlOS() after Build().
Example: http://localhost:5062/sqlos/. Protect it with a password in appsettings.json (or env vars).
Production exposure#
/sqlos and /sqlos/admin are administrative endpoints for users, organizations, memberships, clients, OIDC/SAML connections, security settings, sessions, audit events, and FGA data. In production, keep them on a trusted network or place them behind HTTPS, reverse-proxy or edge rate limiting, and an admin access layer such as VPN, identity-aware proxy, SSO, or MFA.
Password mode includes dashboard-specific per-IP throttling, global backoff for distributed failures, temporary lockout, and audit events for login success, login failure, rate-limit rejection, lockout, and logout. Treat those built-in controls as a baseline, not as the only protection for a publicly reachable admin surface.
Auth Server pages#
| Page | URL | What you can do |
|---|---|---|
| Organizations | /sqlos/admin/auth/organizations | Create tenants, set primary domains for SSO |
| Users | /sqlos/admin/auth/users | Create users, assign passwords |
| Memberships | /sqlos/admin/auth/memberships | Link users to organizations with roles and manage invitations |
| Clients | /sqlos/admin/auth/clients | Register OAuth clients with redirect URIs |
| OIDC | /sqlos/admin/auth/oidc | Configure social login providers |
| SSO | /sqlos/admin/auth/sso | Set up SAML enterprise SSO and delegated org-admin setup links |
| Auth Page | /sqlos/admin/auth/settings | Configure hosted/headless credential types, AuthPage branding, and email branding |
| MFA | /sqlos/admin/auth/mfa | Configure global MFA availability, TOTP, self-enrollment, recovery codes, and global requirement policy |
| Security | /sqlos/admin/auth/security | Configure session and token lifetimes |
| Sessions | /sqlos/admin/auth/sessions | View and manage active sessions |
| Audit Events | /sqlos/admin/auth/audit | Review authentication events through the central Audit Logs view |
Audit Logs#
| Page | URL | What you can do |
|---|---|---|
| Audit Logs | /sqlos/admin/audit/logs | Search, filter, inspect, and export SqlOS and host-application audit events |
Audit Logs are a top-level governance surface. Filter by organization, application/client, source, action, actor, target, date range, result/status metadata, or free text. CSV export uses the same filters and is bounded for dashboard use.
Auth emails#
The Auth Page settings screen includes email branding for built-in OTP and invitation emails. It stores the application name, logo data URL, primary color, accent color, and background color used by the default templates.
For setup details, see Email OTP, Email Invitations, and Email Branding.
Delegated SSO setup#
Open an organization, choose the SSO tab, and create a setup link when a customer IT admin should configure SAML themselves. The link is scoped to one organization, can be revoked from the same tab, and opens /sqlos/admin/auth/sso-portal instead of the full dashboard.
The portal shows Microsoft Entra, Okta, Google Workspace, and generic SAML setup paths. It displays copy-ready SP Entity ID and ACS URL values, verifies the customer email domain through a DNS TXT record, accepts pasted or uploaded metadata XML, validates the IdP entity ID, SSO URL, and signing certificate, then lets the customer activate, disable, replace metadata, and run a SAML test redirect.
Portal launch, open, revoke, provider selection, domain verification, metadata import, activation, disable, and test actions are audit logged with the organization id.
Hosts can disable the bundled portal and redirect opened sessions to their own admin UI with SsoPortal.BuildUiUrl. The same setup state machine is available at /sqlos/admin/auth/sso-portal/api/setup by default.
MFA policy#
The MFA page controls application-wide authenticator-app policy:
- enable or disable MFA;
- enable authenticator apps;
- allow voluntary user self-enrollment;
- issue recovery codes;
- require MFA for all users;
- require MFA for owners, admins, or custom role names;
- edit the available factor list.
If MFA settings are managed by a startup seed, the dashboard shows a startup-managed callout because code/config will reapply those values on restart.
Organization-specific MFA policy is available through the admin API and startup seeding in this release. Use it when one tenant requires MFA and another tenant leaves it optional.
For setup details, see MFA and TOTP and Require Authenticator MFA.
FGA pages#
| Page | URL | What you can do |
|---|---|---|
| Resources | /sqlos/admin/fga/resources | Browse the resource hierarchy |
| Grants | /sqlos/admin/fga/grants | Manage subject-role-resource assignments |
| Roles | /sqlos/admin/fga/roles | Define roles and link permissions |
| Permissions | /sqlos/admin/fga/permissions | View permission keys by resource type |
| Subjects | /sqlos/admin/fga/users | Manage FGA users, agents, service accounts, groups |
| Access Tester | /sqlos/admin/fga/access-tester | Test access decisions with a detailed trace |
Sessions#
The Sessions page lists who is signed in, how, which client, and when it expires.
