Authentication
WireGUI supports multiple authentication methods that can be used individually or in combination.
The default authentication method. Users sign in with their email address and password.
Local authentication can be disabled from the Settings page when SSO is configured, forcing all users to authenticate through an identity provider.
WireGUI integrates with any OIDC-compliant identity provider (Okta, Auth0, Keycloak, Azure AD, Google Workspace, etc.).
When OIDC providers are configured, SSO buttons appear automatically on the login page. Clicking one redirects the user to the identity provider for authentication, then back to WireGUI upon success.
OIDC providers can be configured:
- Via the admin UI - Settings > OpenID Connect Providers (see Settings)
-
Via YAML provisioning - Set
WG_IDP_CONFIG_FILEto a YAML file path for automated IdP setup
openid_connect_providers:
- id: okta
label: "Sign in with Okta"
client_id: "your-client-id"
client_secret: "your-client-secret"
discovery_document_uri: "https://your-org.okta.com/.well-known/openid-configuration"
scope: "openid email profile"
auto_create_users: trueWireGUI supports SAML 2.0 for enterprise SSO. SAML providers can be configured from the admin Settings page or via the YAML provisioning file.
Users can enable MFA from their Account Settings page. Two methods are supported:
- TOTP Authenticator - Time-based one-time passwords compatible with Google Authenticator, Authy, 1Password, etc.
- WebAuthn Security Keys - Hardware security keys (YubiKey, etc.) and platform authenticators (Touch ID, Windows Hello)
When MFA is enabled, after entering their password the user is redirected to an MFA challenge page where they must provide their second factor.
When SMTP is configured (WG_SMTP_HOST, WG_SMTP_USER, etc.), users can request a magic link sent to their email address for passwordless login.
API tokens can be generated from the Account Settings page for programmatic access to the REST API. Tokens are sent in the Authorization: Bearer <token> header.