Using OpenID Connect for Site Admin Access

Sourcegraph employees access to managed instances application interface (Web UI) is restricted to essential personnel only. This ensures Sourcegraph is able to help customers troubleshoot issues and deliver a smooth experience. We utilize OpenID Connect to enable Sourcegraph employees access to customer instance to make sure there is an audit trail for every access.

Enable OIDC for Managed Instance

All Managed Instances (internal, trial and paid) have OIDC OKTA access enabled by:

  1. OKTA web application is created via terraform code for each Managed Instance module.
  2. OIDC OKTA configuration is added to Managed Instance during initialisation process from GSM.
  3. Sourcegraph employees accounts are created and promoted to site admins for given instance.
  4. Every hour configuration is synchronised via Github Action.

Admin users on Managed Instance

  1. Every instance has a Sourcegraph Admin user added during initialisation of Managed Instance. This admin user has username, password and token stored in Managed Instance GCP Secret Manager. This token is used to access Managed Instance from mg cli. For customers, who did not disable OIDC the token is used to impersonate user invoking action on Managed Instance, otherwise action is invoked as Sourcegraph Admin user.

Unless customer explicitly disabled OIDC on Managed Instance

  1. All Cloud Team members
  2. Additonal Customer Engineeger(s) from CE List added to config.yaml via additionalAdmins - sample

Disabling OKTA OIDC on Managed Instance

OIDC OKTA access is disabled on instance when explictly asked by customer via configuration flag disableSourcegraphManagementAccess: true in config.yaml.


Does it affect the number of seats customers pay for in the license?

Every essential Sourcegraph personnel will effectively be an actual user in the customer instance, so they will be counted toward in the license seat count. However, we allocated addition 10 seats in the license to accommodate the seats used by internal Sourcegraph teammates with Site Admin access.