Skip to main content
In this lesson, you’ll learn how to secure your Backstage instance by integrating with external identity providers. By default, Backstage allows guest access, but you can restrict sign-in to authorized users only.

Default Guest Access

Out of the box, Backstage permits anyone to sign in as a guest. To prevent unauthorized access, configure an external identity provider before deploying to production.

Supported Identity Providers

Backstage natively supports multiple OAuth and SAML providers. After configuration, users will see additional Sign in buttons on the login page.
Identity ProviderProtocolDocumentation
GitHubOAuth 2.0GitHub Setup
Auth0OAuth 2.0Auth0 Plugin
GoogleOAuth 2.0Google Auth
OneLoginSAMLOneLogin SAML

Authentication Workflow Overview

Below is a high-level OAuth 2.0 flow using GitHub as an example:
  1. The user is already logged into GitHub (e.g., john) in their browser.
  2. They visit Backstage and click Sign in with GitHub.
  3. Backstage requests the GitHub username and receives john.
  4. Backstage checks its catalog for a User entity named john.
  5. If found, the login succeeds; otherwise, it fails.
The image shows a computer screen displaying a GitHub login interface with fields for a username or email address and password. It includes options for password recovery and account creation.
When no matching entity exists, you’ll encounter: 
Error: login failed, no user named john

Defining a Matching User Entity

To allow john to authenticate, add a User entity in your catalog with matching metadata: 
apiVersion: backstage.io/v1alpha1
kind: User
metadata:
  name: john
spec:
  profile:
    displayName: John Doe
    email: [email protected]
    memberOf:
      - team-b
      - employees
Ensure the metadata.name exactly matches the username returned by your OAuth provider.
Once imported, john can sign in with GitHub without errors.

Automating User Import

Maintaining user entities by hand doesn’t scale. Backstage can synchronize users from:
  • GitHub organizations
  • LDAP directories
  • Enterprise identity platforms (Okta, Azure AD)
The image illustrates user integration between two systems, represented by icons and user names, with a gear symbol in the center indicating the connection.
Automated import ensures that your catalog always includes up-to-date user entries before any login attempts occur.

Watch Video