Galaxy supports the following authentication mechanisms:
Galaxy Database - Galaxy-specific login using e-mail address and password (the default);
OIDC and OAuth2.0 - Login to Galaxy using your Google account, without having to create a Galaxy user;
Authentication Framework - A plugin-driven framework supporting LDAP/Active Directory and PAM;
Without any additional configuration Galaxy will simply use its database to maintain usernames and passwords. The Galaxy user interface and API provide functions allowing users to register accounts, change passwords, etc….
If deploying Galaxy using the default authentication option, user activation can be enabled also. This is documented below.
OIDC and OAuth2.0¶
Leveraging OpenID Connect (OIDC) protocol, we enable login to Galaxy without explicitly creating a Galaxy user. This feature is disabled by default. In short, to enable this feature, a Galaxy server admin has to take the following two steps:
Define the Galaxy instance on an OIDC identity provider. At the moment, we support Google and Okta. To set a Galaxy instance on Google, go to credentials section at developers console, and configure the instance. At the end, you’ll receive client ID and client secret take a note of these two tokens. For Okta, create a new application in Okta, type web. At the end you should take note of the client ID and client secret tokens.
Configure Galaxy. In the
galaxy.ymlfile enable the OIDC service using the
enable_oidckey and set the two configuration files (i.e.,
oidc_backends_config_file), based on the IdP information.
Galaxy is distributed with a plugin-driven authentication framework for which the default database authentication is just one (and the default plugin). This framework can be used to allow Galaxy to delegate authentication to an LDAP server, an Active Directory server, or to PAM.
Currently, we provide two variants of the LDAP authenticator namely,
ldap3. Both are identical implementations that use different Python modules for binding and making queries to a LDAP server. The authenticator
ldap is based on the python-ldap module which is a wrapper around the
OpenLDAP’s client library
python-ldap does not provide pre-built Python wheel packages and hence, the OpenLDAP client libraries are needed to install
python-ldap on the Galaxy server.
On the otherhand,
ldap3 is a pure-Python implementation of the OpenLDAP client library and has no external dependencies. This package can be installed out-of-the-box, so we recommend to use it when the OpenLDAP client libraries are not available on the Galaxy server.
These same mechanisms can also be configured by proxies serving Galaxy (e.g. nginx or Apache), but configuring them within Galaxy allows users to use the Galaxy UI for logging in instead of relying on a proxy.
To configure one or more authentication plugins, simply copy
The provided sample configuration file has numerous commented out examples and serves as the most up-to-date source
of documentation on configuring these plugins.
It is relatively straight-forward to add a custom authenticator to the framework. In this example, we will demonstrate
a new authenticator based on the LDAP authenticator that performs custom checks besides password verification for
authenticating a user on the Galaxy instance. First, we will create an authenticator source file
lib/galaxy/auth/providers/ldap_custom.py with the following content:
from ..providers.ldap_ad import LDAP
log = logging.getLogger(__name__)
Attempts to authenticate users against an LDAP server.
plugin_type = "ldap_custom"
def authenticate(self, email, username, password, options, request):
See abstract method documentation.
if options.get("continue-on-failure", "False") == "False":
failure_mode = None # reject and do not continue
failure_mode = False # reject but continue
# Check if user's remote IP is declared in whitelisted IPs
if "white-listed-ips" in options:
user_remote_ip = request.remote_addr
# Get all white listed IPs from the config file
white_listed_ips = options.get("white-listed-ips")
# Convert them into a list
white_listed_ips = white_listed_ips.split(' ')
# Convert user remote IP into IPv4Address object
user_remote_ip_obj = ipaddress.IPv4Address(user_remote_ip)
white_listed_ip_objs = [ipaddress.IPv4Network(ip) for ip in white_listed_ip_objs]
# Make sure white_listed_ip_objs is not empty
# Effectively we are checking if remote ip network subnet
# is subset of allowed subnets. If at least one subnet matches,
# we allow user to authenticate
allowed = any(user_remote_ip_obj in sn for sn in white_listed_ip_objs)
if not allowed:
log.info("LDAP authentication: User remote IP is not listed in whitelisted IPs")
return failure_mode, "", ""
return super().authenticate(email, username, password, options, request)
__all__ = ("LDAPCustom",)
In this simple custom LDAP authenticator, we are verifying the remote IP address of the client is declared in the whitelisted
IP addresses. The so-called
white-listed-ips can be provided within the
auth_config.xml file. However this can be done in
many ways depending on the deployments like getting white listed IPs from LDAP query or simply reading it from a file on the
file system. This list of IP addresses can be a global whitelist or IP addresses per user. In order to use this authenticator,
we need to declare it in the
auth_config.xml file as
Remote User Authentication¶
If Galaxy is deployed with either nginx or Apache serving as a front-end proxy for Galaxy requests, they can be configured to authenticate users and pass this authentication information along to Galaxy using the HTTP remote user mechanism. See, for example, the authentication and authorization guide for the Apache Web server for an impression of the possibilities. Thus, by the time Galaxy is aware of a request, the user identity will have been determined and there will be no need for Galaxy to do any additional authentication work, such as showing a login screen or checking user credentials.
However, accepting an identity asserted by the Web server does not relieve Galaxy from having to create a user account for such an identity. Thus, Galaxy automatically creates a user for each identity of this kind, recording that the user is “external” and also creating a random password in order to effectively disable traditionally performed logins for the user, although the remote user mechanism should normally prohibit any login mechanism other than that imposed by the Web server, and the “external” flag should itself prohibit the traditional mechanism being used with the user concerned. When a remote user returns to Galaxy and is not already logged in, the details of the user are retrieved according to the identity information supplied by the Web server.
Enabling remote user authentication requires you to edit Galaxy’s configuration file and set
This file is likely located in
config/galaxy.yml and can be created by copying Galaxy’s sample
Additional Galaxy configuration options related to remote user authentication are documented in Galaxy’s sample
configuration file. The options
adapt Galaxy to different responses from the proxy, while
remote_user_secret can be used to provide added
remote_user_logout_href can be used to fix Galaxy’s logout for the deployed setup.
Galaxy admins using the default authentication mechanism have an option to turn on the email verification feature to require users to provide working email during the registration. You can also turn on the disposable email domains filter to disable registration for users using known disposable email provider.
How to set up this config is presented here.
Note: SQLite database is not supported with this feature. Please use PostgreSQL.
Account activation feature¶
In the Galaxy config file config/galaxy.yml there is the user activation setting that you have to turn on. By default it is off.
There is also the option for tracking jobs in database that is required to be turned on for the account activation to be effective. By default it is off.
After you turn on both of these every user that will try to register after this configuration file takes effect will have the activation email sent to the email address provided. Unless the
activation_grace_period (see below) is set, the user won’t be able to login before the activation happens.
Furthermore in order for this to work correctly smtp server and email need be set:
Smtp server takes care of the email sending and the
email_from is used as the From address in the verification email.
The mapping of mentioned templates’ variables to config options is as follows:
Changing email address¶
If an activated user changes email address in user settings, their account will be deactivated. A new activation link will be sent and the user will have to visit it to activate the account again.
In case you want the account activation feature but don’t want to disable login completely you can set the
activation_grace_period parameter. It specifies, in hours, the period in between registration time and the login time that the user will be allowed to log in even with an inactive account.
# Activation grace period. Activation is not forced (login is not disabled) until
# grace period has passed. Users under grace period can't run jobs (see inactivity_box_content).
# In hours. Default is 3. Enter 0 to disable grace period.
# Users with OpenID logins have grace period forever.
#activation_grace_period = 3
However with inactive account the user won’t be able to run jobs and warning message will be shown to them at the top of the page. It is customizable via the
# Used for warning box for inactive accounts (unable to run jobs).
# In use only if activation_grace_period is set.
#inactivity_box_content = Your account has not been activated yet. Please activate your account by verifying your email address. For now you can access everything at Galaxy but your jobs won't run.
Disposable email address filtering¶
To prevent users from using unwanted email addresses for the email activation admins can select from two methods of filtering: domain blocking and allowing.
The domain blocklist can be turned on through the
email_domain_blocklist_file path parameter. Users that use disposable email domains defined at the file in this provided path will be refused registration.
# E-mail domains blocklist is used for filtering out users that are using disposable email address
# during the registration. If their address domain matches any domain in the BL they are refused the registration.
email_domain_blocklist_file = config/disposable_email_blocklist.conf
In the file each domain is on its own line and without the @ sign. Example of the blocklist file format:
A disposable domains blocklist file for download and modification is at GitHub
The domain allowlist can be turned on through the
email_domain_allowlist_file path parameter. The file has the same format as the
email_domain_blocklist_file above. The difference is that domains outside of the allowlist will not be allowed for account registration.