Skip to main content

Use Datawiza Access-Proxy to enable Single Sign-On for CVAT

About 6 min

Use Datawiza Access-Proxy to enable Single Sign-On for CVAT

Datawiza Access Proxy is a very powerful platform that lets you enable modern authentication and authorization with no code or very few code. Teams have great success with it to enable SSO, MFA and advanced Identity & Access Management (IAM) for in-house applications, legacy applications, as well as popular 3rd party applications, e.g., Jenkins, WordPress, SuperSet, AirFlow, AWS Elastic MapReduce, and many more.

This document will show you how to enable Single Sign-On (SSO) for CVATopen in new window, a very popular ML/AI tool, by using Datawiza Access Proxy.

You can also try our SSO-enabled instanceopen in new window to get a sense how it looks like when SSO is enabled. For this instance, I chose the Google platform as the Identity Provider, therefore you can SSO with your Google account.


  1. Make sure you have the CVAT repo with changes in this branch feature/datawiza-ssoopen in new window.

    We are working on merging this branch into the develop branch of the official repo. Once it's in, you can also check out from the official repo.

  2. Build the image with the following command. If you encounter any issue with building it, try to look for a solution in official CVAT issuesopen in new window.

    docker compose -f docker-compose.header-auth.yml -f build

    Alternatively, you can use our pre-built images datawiza/cvat-server-sso:2.0.0 and datawiza/cvat-ui-sso:2.0.0

  3. Have dockeropen in new window and docker-composeopen in new window installed in your environment.


There will be two places you need to configure. The first place is the Identity Provider of your choice. The second place is the Datawiza Management Console.

Let's work on each of them as below.

Configure the Identity Provider

Depending on the Identity Provider of your choice, the configuration UI will be vary by a lot. For your convenience, we compile the tutorial for configuring each identity provideropen in new window. Please select the correct tutorial on the left-hand-side to follow.

For this tutorial, I'll use Google as my identity provider as an example.

Configure the Datawiza Management Console

  1. Register an account in Datawiza Management Consoleopen in new window. It's self-registration. You can easily get started with your Google account, Microsoft account, or GitHub account.

  2. Upon logged into the Datawiza Management Console, click the orange button Getting started. This will give a step-by-step guide to configure your application.

    Getting Started

  3. Add new Deployment

    The first step of a series of configuration is to create a deployment. A deployment is a concept of organizing applications and Identity Providers that are associated with the same cluster of Datawiza Access Brokers. Don't worry if it's a bit complicated to understand in the beginning. You will get used to it when you play with it more. For now, just give your deployment a meaningful name and description.

    Create a Deployment

  4. Add new Application

    The second step is to create an application, basically it collects the network information of your application.

    Here is the explanation of each field.

    • Platform: Since CVAT is a web application, select WEB here.
    • App Name: The name of your application. Put a meaningful name here. I use cvat.
    • Description: A meaningful description for you to understand this application.
    • Public Domain: This is how your user will access your application. Normally it's the URL in the address bar. You can use http://localhost if you are running locally, be sure to add the port if you have a non-standard one.
    • Listen Port: This is the port that the Datawiza Access Proxy listens on. For simplicity, you can use the same port as the one in Public Domain above if you are not deploying the Datawiza Access Proxy behind a Load Balancer.
    • Upstream Servers: This configuration tells Datawiza Access Proxy how to access the actual application. For CVAT, put http://traefik:8080.

    Create an Application

  5. Add new Identity Provider

    The third step is to fill in the identity provider information, given that you have followed steps to configure an application in your identity provider.

    I'm using Google as my identity provider following this tutorial.

    Here is the explanation of each field.

    • Name: A reasonable name for your identity provider.
    • Protocol: Modern identity providers support OIDC. So does Google and that's how I created my application in Google in above steps. Therefore I use OIDC here.
    • Identity Provider: Select the one that you are using.
    • Client ID: In the last few steps when configuring the identity provider, it will provide you the client id and client secret. Fill in the client id here.
    • Client Secret: Fill in the client secret provided by the identity provider.
    • Issuer: The issuer of your identity provider. Different identity provider has this information in different places. For Google, just leave it with the default one.
    • Scopes: Again different identity provider requires different scopes. For Google, just leave it with the default values.

    Click on Create to proceed.

    Identity Provider Information

  6. Start Access Proxy

    The last step of the guide will provide you the environment configurations. Here you will see the Provision Key and Provision Secret.

    Now edit docker-compose.header-auth.yml in the root dir of your CVAT repo, and replace ${YOUR_PROVISIONING_KEY} and ${YOUR_PROVISIONING_SECRET} with those values.

    Follow the steps (1 and 2) on the page to log in our docker registry and pull the Access Proxy image. You can ignore step 3 on the page since it's already supplied in the docker-compose.header-auth.yml file.

    Docker Compose Information

    Now run

    docker-compose -f docker-compose.header-auth.yml up -d

    to start enjoy CVAT with SSO. In your browser, hit the Public Domain URL as you set previously, you should be able to see the identity provider login page at this point.

  7. Pass Attributes/Claims from identity provider to application

    In order to let the application recognize the user correctly, there is one more step to configure, which instructs the Access Proxy to pass what value from the identity provider to the application under what name.

    Such configuration will be done in the Applications tab on the left panel.

    CVAT Left Panel

    Select the corresponding application, and go to Attribute Pass sub-tab.

    For CVAT, please refer to the screenshot below to configure the attribute pass.

    CVAT Attribute Pass


    Before you can start using the application, one more thing you should know is how to decide who the administrator is.

    Do you remember you added an attribute pass at the previous step? Therefore you can set relative group at the IDP side, which will be mapped to CVAT automatically. CVAT accepts four different roles: admin, business, user, and worker respectively, if you set the admin on the IDP's group, you will be login as an administrator.

    In addition, you can also use the Role Mapping feature in Datawiza Management Console -> Application -> Profile -> Edit -> Mapping Type -> Expression to map the roles from IDP to the one in CVAT.

    Now visit the Public Domain URL again, you should see your email recognized correctly on the top right corner.

    CVAT User Info

  8. (Optional) Add a custom rule for CVAT API

    You can skip this step if you don’t need to call the API endpoints directly and only operate CVAT via web UI.

    CVAT provides operations via API endpoints directly when authenticated with Basic Auth or Token.

    In order to make this work when Datawiza Access Proxy is in place, you will need to add an additional rule in the Datawiza Management Console as follows.

    Again, select Applications tab on the left panel.

    CVAT Left Panel

    Now select the corresponding application, and go to Rules sub-tab. Click the Create Rule.

    CVAT Create Rule

    Then refer to the screenshot below to configure the new rule.

    CVAT Add API rule

Deploy in Kubernetes

CVAT provides the official doc for deployment on Kubernetes with Helmopen in new window. And we offer the Datawiza Access Proxy Helmopen in new window as well. So we can use these to deploy DAP with CVAT in Kubernetes easily.

Changes in CVAT

By default, the type of Traefik service used in CVAT Helm is LoadBalancer, we need to change it to ClusterIP since we will deploy the DAP in front of the CVAT. Add the type under the service of the traefik:

      level: INFO
    type: ClusterIP # Set the type of traefik service to ClusterIP here.

As we introduced above, you need to change the image of the frontend and backend to the built image. We use our pre-built image here as an example:

    image: datawiza/cvat-server-sso
    tag: 2.0.0
    image: datawiza/cvat-ui-sso
    tag: 2.0.0

We use the environment variable HEADER_AUTH_ENABLE to control the header auth functionality, so you need to add it in backend block:

        - name: HEADER_AUTH_ENABLE
          value: "true"

And don't forget to update your host:

    - host: your_host

We provide a example CVAT helm chart value.yaml file hereopen in new window


Basically, you need to set the iamgePullSecrets, PROVISIONING_KEY, and PROVISIONING_SECRET in the DAP value.yaml, and change the ports according to your configuration in DCMC. We provide a simple example here that uses LoadBalancer as the service to expose the DAP. Also, you can customize your DAP in other ways like using ingress. See here for more details:

replicaCount: 1

  pullPolicy: Always
  tag: ""

imagePullSecrets: "cred"
containerPort: 9772
  type: LoadBalancer
  targetPort: 9772
  port: 9772

  enabled: false

PROVISIONING_KEY: "your-provisioning-key"
PROVISIONING_SECRET: "your-provisioning-secret"

Use kubectl get svc -n namespace to check the LoadBalancer service EXTERNAL-IP and create the domain resolution for it:

CVAT Helm svc

Go back to the DCMC, the upstream should be http://cvat-traefik, which is the service name of CVAT traefik:

CVAT Helm upstream

NOTE: For production environments, please make sure that the traefik can only be directly accessed by the DAP for security reasons.


If you run into any issues or would like to get help from Datawiza team, you can