Important
The current version of Launchpad is v3. See here for the deprecated v2 documentation.
Note
See the Release Notes for the changelog and information about releases.
- Launchpad is a slimmed down version of the Stardog Cloud Portal intended to be deployed on-premise.
- Launchpad is distributed as a single Docker container
- Launchpad allows users to manage multiple connections to Stardog endpoints.
- Launchpad contains all Stardog Applications - Studio, Explorer, Designer, Knowledge Catalog
- Launchpad must be configured with an SSO provider (e.g. Microsoft Entra) to manage user authentication and authorization.
- Launchpad persists data to a local directory that should be mounted to a volume for persistence.
- Launchpad does not handle SSL termination. It is recommended to use a reverse proxy like Nginx or Apache to handle SSL termination.
launchpad-login.mov
Demo using Microsoft Entra ID to log users into Launchpad. A new connection using a Stardog username and password connection is then made.
This is the general guide to getting Launchpad up and running. For more detailed information, see the Configuration guide.
-
Prerequisites
- Docker
- An SSO provider to log users in with (e.g. Microsoft Entra)
- A Stardog endpoint to connect to
-
Pull the Docker Image
- Log in to Stardog's Docker registry
docker login stardog-stardog-apps.jfrog.io
- Pull the Launchpad Docker image
docker pull stardog-stardog-apps.jfrog.io/launchpad:current
-
Configure Launchpad and optionally your Stardog servers.
- Launchpad must be configured with an SSO provider to log users in with.
- Launchpad can optionally be configured with "SSO Connections", allowing users to use SSO to connect to Stardog endpoints that have also been configured to accept JWT tokens from the SSO provider. Without SSO Connections, users will need to manually enter their Stardog credentials to connect to Stardog endpoints.
- The SSO provider for connections can be from the same provider as the main SSO provider or a different provider. They should however be different applications in the SSO provider. For example, Microsoft Entra can be used as Launchpad SSO provider and also as the SSO provider for connections, but they should be different "App Registrations" in Microsoft Entra.
- The SSO provider must be configured to issue JWT tokens that can be used to authenticate with Stardog.
- See SSO Connection Configuration for more information on configuring SSO Connections.
-
Create and run the Launchpad container
docker run \ --env-file /path/to/launchpad/.env.launchpad \ -p 8080:8080 \ -v /path/to/launchpad/data:/data \ stardog-stardog-apps.jfrog.io/launchpad:current
- The
--env-fileflag should point to a file containing the environment variables for Launchpad. See the Configuration section for more information. - The container exposes port
8080, which can be mapped to any port on the host machine. /datais the directory where Launchpad will persist data. This should be mounted to a volume for persistence.
- The
-
Access Launchpad in your browser at the
BASE_URLyou configured.
As mentioned in the Getting Started section, Launchpad persists data to a local directory that should be mounted to a volume for persistence. This is done by mounting a volume to the /data directory in the Launchpad container.
Issues are disabled on this repository. All support requests and feedback should be routed directly to either your dedicated Customer Success Manager (CSM) or Stardog Support.
The following sections detail the configuration options available in Launchpad. All configuration options are set as environment variables in the Docker container.
| Section | Description |
|---|---|
| General Configuration | General configuration options available in Launchpad |
| Login Provider Configuration | Configuration options for the SSO provider used to log users into Launchpad |
| SSO Connection Configuration | Configuration options for SSO Connections, allowing users to use SSO to connect to Stardog endpoints that have also been configured to accept JWT tokens from the SSO provider. |
Here is an example of a configuration file for Launchpad. When using Docker/Docker Compose, you can pass this file to the container using the --env-file flag or equivalent in your Docker Compose file.
# General Configuration
BASE_URL=http://localhost:8080
COOKIE_SECRET=supersecret
# Microsoft Entra Login Provider (to log users into Launchpad)
AZURE_AUTH_ENABLED=true
AZURE_CLIENT_ID=<client_id>
AZURE_CLIENT_SECRET=<client_secret>
AZURE_TENANT=<tenant_id>
# Development Stardog Server SSO Connection using Microsoft Entra (to authenticate users connecting to Stardog)
SSO_CONNECTION_DEVELOPMENT_AZURE_CLIENT_ID=<client_id>
SSO_CONNECTION_DEVELOPMENT_AZURE_CLIENT_SECRET=<client_secret>
SSO_CONNECTION_DEVELOPMENT_AZURE_TENANT=<tenant_id>
SSO_CONNECTION_DEVELOPMENT_AZURE_STARDOG_ENDPOINT=http://localhost:5825
SSO_CONNECTION_DEVELOPMENT_AZURE_DISPLAY_NAME=Development
# Production Stardog Server SSO Connection using Microsoft Entra (to authenticate users connecting to Stardog)
SSO_CONNECTION_PRODUCTION_AZURE_CLIENT_ID=<client_id>
SSO_CONNECTION_PRODUCTION_AZURE_CLIENT_SECRET=<client_secret>
SSO_CONNECTION_PRODUCTION_AZURE_TENANT=<tenant_id>
SSO_CONNECTION_PRODUCTION_AZURE_STARDOG_ENDPOINT=http://localhost:5826
SSO_CONNECTION_PRODUCTION_AZURE_DISPLAY_NAME=ProductionThis section details the general configuration options available in Launchpad.
The BASE_URL is used to set the base URL for Launchpad. This is the URL that users will use to access Launchpad.
- Required: Yes
- Default: not set
The COOKIE_SECRET is used to set the secret used to sign cookies in Launchpad. This should be a large, random string.
- Required: Yes
- Default: not set
The SESSION_EXPIRATION is used to set the expiration time in seconds for user sessions in Launchpad.
- Required: No
- Default:
43200(12 hours)
This section details the configuration options available for the SSO provider used to log users into Launchpad.
Important
Launchpad must be configured with at least 1 SSO provider to log users into the application.
Available Login SSO providers:
The following configuration options are available for Microsoft Entra.
Note
See How to Create an Azure App Registration to Login with Microsoft Entra in Launchpad for instructions on how to create an Azure App Registration to login with Microsoft Entra in Launchpad.
The AZURE_AUTH_ENABLED is used to enable or disable Microsoft Entra authentication to log users into Launchpad.
- Required: Yes (if using Microsoft Entra)
- Default:
false
The AZURE_CLIENT_ID is the client id of the Azure App Registration used to sign users into Launchpad.
- Required: Yes (if using Microsoft Entra)
- Default: not set
The AZURE_CLIENT_SECRET is the client secret of the Azure App Registration used to sign users into Launchpad.
Note
This should be used if not using a client certificate (AZURE_CLIENT_CERTIFICATE_FILE or AZURE_CLIENT_CERTIFICATE_THUMBPRINT).
- Required: Yes (if using Microsoft Entra)
- Default: not set
The AZURE_TENANT is the tenant id of the Azure App Registration used to sign users into Launchpad.
- Required: Yes (if using Microsoft Entra)
- Default:
organizations
The AZURE_CLIENT_PRIVATE_KEY_FILE is the path (in the Docker container) to the private key file corresponding to the certificate used as a credential with Application Registration;
Note
This should be used if not using a client secret (AZURE_CLIENT_SECRET). The private key must not be password protected.
- Required: Yes (if using client certificate with Microsoft Entra)
- Default: not set
The AZURE_CLIENT_CERTIFICATE_FILE is the path (in the Docker container) to the certificate file used as a credential with the Application Registration.
Note
This should be set if AZURE_CLIENT_CERTIFICATE_THUMBPRINT not specified.
- Required: Yes (if using client certificate with Microsoft Entra and not using
AZURE_CLIENT_CERTIFICATE_THUMBPRINT) - Default: not set
Thumbprint of the certificate used as a credential with the Application Registration.
Note
This should be set if AZURE_CLIENT_CERTIFICATE_FILE not specified)
- Required: Yes (if using client certificate with Microsoft Entra and not using
AZURE_CLIENT_CERTIFICATE_FILE) - Default: not set
The AZURE_GOV_CLOUD_US is used to set the Azure cloud environment to the Azure US Government Cloud.
- Required: Yes (if using Azure US Government Cloud)
- Default:
false
The AZURE_AUTH_BASE_URL is used to set the base URL for Microsoft Entra. This is the URL that users will use to authenticate with Microsoft Entra.
Note
If AZURE_GOV_CLOUD_US is set to true, this will be automatically set to https://login.microsoftonline.us
- Required: No
- Default:
https://login.microsoftonline.com
The AZURE_GRAPH_BASE_URL is used to set the base URL for the Microsoft Graph API. This is used to retrieve user information from Microsoft Entra.
Note
If AZURE_GOV_CLOUD_US is set to true, this will be automatically set to https://graph.microsoft.us
- Required: No
- Default:
https://graph.microsoft.com
-
Create App Registration
- Open Azure Portal (https://portal.azure.com)
- Navigate to Microsoft Entra ID > App registrations
- Click "New registration"
- Name application (e.g., "Stardog Launchpad")
- Select "Accounts in this organizational directory only"
- Click "Register"
-
Configure Authentication
- Go to app's "Authentication"
- Add web platform redirect URI:
- Type: Web
- Redirect URI:
{BASE_URL}/oauth/azure/redirect - See
BASE_URLfor more information on what the value should.
- Enable "ID tokens (used for implicit and hybrid flows)"
-
Generate Credentials
-
Option 1: Client Secret
- Go to "Certificates & secrets"
- Click "New client secret"
- Set expiration
- Copy secret value immediately - this is only shown while creating a secret. It cannot be retrieved later.
-
Option 2: Certificate
- Go to "Certificates & secrets"
- Upload certificate to app registration
- If you don't have a certificate, you can create a self-signed certificate using
openssl, however, it is recommended to use a certificate from a trusted certificate authority. - Note certificate thumbprint in the web interface
-
-
Collect Configuration Values
- Client ID: Found in "Overview"
- Tenant ID: Found in "Overview"
- Client Secret or Certificate details
-
Configure Launchpad Environment Variables
- Using Client Secret:
AZURE_AUTH_ENABLED=true AZURE_CLIENT_ID=<client_id> AZURE_TENANT=<tenant_id> AZURE_CLIENT_SECRET=<client_secret>
- Using Certificate:
AZURE_AUTH_ENABLED=true AZURE_CLIENT_ID=<client_id> AZURE_TENANT=<tenant_id> # Use AZURE_CLIENT_CERTIFICATE_FILE or AZURE_CLIENT_CERTIFICATE_THUMBPRINT. See note below. # AZURE_CLIENT_CERTIFICATE_FILE=<path_to_certificate_file-in-docker-image> AZURE_CLIENT_CERTIFICATE_THUMBPRINT=<certificate_thumbprint> AZURE_CLIENT_PRIVATE_KEY_FILE=<path_to_private_key_file-in-docker-image>
Note
There is no need to set both AZURE_CLIENT_CERTIFICATE_FILE and AZURE_CLIENT_CERTIFICATE_THUMBPRINT. Use one or the other. If both are set, AZURE_CLIENT_CERTIFICATE_THUMBPRINT will be used.
Note
If your tenant is in the Azure US Government Cloud, set AZURE_GOV_CLOUD_US=true.
The following configuration options are available for Google SSO.
Note
See How to Create a Google OAuth2.0 Client to login with Google in Launchpad for additional information.
The GOOGLE_AUTH_ENABLED is used to enable or disable Google authentication to log users into Launchpad.
- Required: Yes (if using Google)
- Default:
false
The GOOGLE_CLIENT_ID is the client id of the Google OAuth2.0 client used to log users into Launchpad.
- Required: Yes (if using Google)
- Default: not set
The GOOGLE_CLIENT_SECRET is the client secret of the Google OAuth2.0 client used to log users into Launchpad.
- Required: Yes (if using Google)
- Default: not set
- Create OAuth 2.0 Client
- Go to Google Cloud Console
- Create a new project or select existing project
- Navigate to "APIs & Services" > "Credentials" in the left-hand vertical menu
- Click "Create Credentials" > "OAuth client ID"
- Choose "Web application" type
- Name your OAuth 2.0 client (e.g. "Stardog Launchpad")
- Configure Authorized Redirects
- ( Add redirect URI ):
{BASE_URL}/oauth/google/redirect - See
BASE_URLfor more information on what the value should.
- Generate Credentials
- Click "Create"
- Google will display Client ID and Client Secret
- Copy these values immediately or download the JSON file containing the credentials.
- Configure Launchpad Environment Variables
GOOGLE_AUTH_ENABLED=true
GOOGLE_CLIENT_ID=<client_id>
GOOGLE_CLIENT_SECRET=<client_secret>As mentioned earlier, SSO Connections allow logged in users to use SSO to connect to Stardog endpoints that have also been configured to accept JWT tokens from the SSO provider. Launchpad administrators need to configure SSO Connections to allow their Launchpad users to connect to Stardog endpoints using SSO. This should be done before deploying Launchpad.
Important
Even if your login provider is the same as your connection provider (e.g. Microsoft Entra), they should be different applications in the SSO provider. For example, Microsoft Entra can be used as Launchpad SSO provider and also as the SSO provider for connections, but they should be different "App Registrations" in Microsoft Entra. Strictly speaking for SSO connections, there should be a 1:1 relationship between the SSO application registered with the provider and the Stardog endpoint. This is because the SSO provider will issue a JWT token that is specific to the Stardog endpoint and contains a claim containing the roles that the user has on that Stardog endpoint. You likely want to restrict the roles that a user has on one Stardog endpoint from being used to access another Stardog endpoint.
Similar to all the other configuration options, SSO Connections are set as environment variables in the Docker container.They are declared using a common prefix SSO_CONNECTION_ followed by a unique identifier and provider identifier for the connection. The unique identifier is used to differentiate between different SSO Connections, while the provider identifier is used to specify the SSO provider for the connection. The configuration options for the SSO Connection are then appended to the end of the environment variable name.
SSO_CONNECTION_<unique_identifier>_<provider_identifier>_<config_option>Important
The unique identifier must not contain underscores or any special characters. It should only contain alphanumeric characters.
Examples:
- Valid:
DEV1,PROD,TEST2 - Invalid:
DEV-1,PROD_AZURE,TEST@2
Here's an example of 1 SSO connnection declaration:
SSO_CONNECTION_DEVELOPMENT_AZURE_CLIENT_ID=<client_id>
SSO_CONNECTION_DEVELOPMENT_AZURE_CLIENT_SECRET=<client_secret>
SSO_CONNECTION_DEVELOPMENT_AZURE_TENANT=<tenant_id>
SSO_CONNECTION_DEVELOPMENT_AZURE_STARDOG_ENDPOINT=<stardog_endpoint>
SSO_CONNECTION_DEVELOPMENT_AZURE_DISPLAY_NAME=<user-facing-display-name>- All environment variables are prefixed with
SSO_CONNECTIONto indicate that this is an SSO Connection. DEVELOPMENTis the unique identifier for this SSO Connection.AZUREis the SSO provider identifier for this SSO Connection.CLIENT_ID,CLIENT_SECRET,TENANT,STARDOG_ENDPOINT, andDISPLAY_NAMEare the configuration options for this SSO Connection.
Note
See the Microsoft Entra SSO Connection Provider Configuration for more information on the configuration options for Microsoft Entra SSO Connections.
With a similar configuration to above (of course with actual values populated), your users would then see a dropdown populated when clicking "Add SSO endpoint". It's labeled "SSO Connection Registration" in the form. The DISPLAY_NAME is the name your Launchpad user will see. In the demo just below, 3 SSO connections are configured. The display names are Development, Staging, and Production respectively. The STARDOG_ENDPOINT is also provided (http://localhost:5825) so that your users do not have to manually enter this field.
entra-sso-connection-demo.mov
| Supported SSO Connection providers | Provider Identifier in Environment Variable |
|---|---|
| Microsoft Entra (formerly known as Azure Active Directory) | AZURE |
Note
You can have multiple SSO Connections for the same provider. Just make sure the unique identifier is different for each connection.
Below is a sequence diagram showing how a user would create a new SSO connection and authenticate against the provider. The provider would then issue an access token that would be used to authenticate against the Stardog endpoint. That access token is stored in the user's Launchpad session. It will be refreshed as needed. If the user logs out of Launchpad, the user will need to re-authenticate against the provider to get a new access token.
sequenceDiagram
participant Launchpad
participant SSO Connection Provider (e.g. MS Entra)
participant Stardog
Launchpad->>SSO Connection Provider (e.g. MS Entra): User creates a new SSO connection and authenticates against provider
SSO Connection Provider (e.g. MS Entra)->>Launchpad: provider issued access token
Launchpad->>Stardog: provider issued access token
Stardog->>Launchpad: User authenticated
The following configuration options are available for Microsoft Entra SSO Connections.
The SSO_CONNECTION_<unique_identifier>_AZURE_CLIENT_ID is the client id of the Azure App Registration used to authenticate and authorize users to connect to the Stardog endpoint.
- Required: Yes
- Default: not set
The SSO_CONNECTION_<unique_identifier>_AZURE_CLIENT_SECRET is the client secret of the Azure App Registration used to authenticate and authorize users to connect to the Stardog endpoint.
- Required: Yes
- Default: not set
The SSO_CONNECTION_<unique_identifier>_AZURE_TENANT is the tenant id of the Azure App Registration used to authenticate and authorize users to connect to the Stardog endpoint.
- Required: Yes
- Default: not set
The SSO_CONNECTION_<unique_identifier>_AZURE_STARDOG_ENDPOINT is the URL of the Stardog endpoint that users will connect to using this SSO Connection. This is not required. If not set, users will need to manually enter the Stardog endpoint URL when creating an SSO connection. If provided, it will be pre-filled in the SSO Connection form.
- Required: No
- Default: not set
The SSO_CONNECTION_<unique_identifier>_AZURE_DISPLAY_NAME is the user-facing display name for this SSO Connection. This is the name that will be displayed to users when they are selecting an SSO Connection to connect to a Stardog endpoint. If not set, the unique identifier will be used as the display name.
- Required: No
- Default: <unique_identifier>
The SSO_CONNECTION_<unique_identifier>_AZURE_GOV_CLOUD_US is used to set the Azure cloud environment. If set to true, it's assumed that the Azure App Registration is in your tenant in the Azure US Government Cloud.
- Required: Yes (if using Azure US Government Cloud)
- Default:
false
The SSO_CONNECTION_<unique_identifier>_AZURE_AUTH_BASE_URL is used to set the base URL for Microsoft Entra. This is the URL that users will use to authenticate with Microsoft Entra.
Note
If SSO_CONNECTION_<unique_identifier>_AZURE_GOV_CLOUD_US is set to true, this will be automatically set to https://login.microsoftonline.us
- Required: No
- Default:
https://login.microsoftonline.com
The SSO_CONNECTION_<unique_identifier>_AZURE_GRAPH_BASE_URL is used to set the base URL for the Microsoft Graph API. This is used to retrieve user information from Microsoft Entra.
Note
If SSO_CONNECTION_<unique_identifier>_AZURE_GOV_CLOUD_US is set to true, this will be automatically set to https://graph.microsoft.us
- Required: No
- Default:
https://graph.microsoft.com
Setting up a Microsoft Entra SSO connection consists of 3 main steps:
- Creating the Microsft Entra App Registration
- Configuring the Launchpad environment variables using the App Registration details
- Configuring the Stardog endpoint to accept JWT tokens from Microsoft Entra App Registration
Note
SSO connections leverage Stardog's JWT token authentication. This means that the Stardog endpoint must be configured to accept JWT tokens from the SSO provider. Stardog is able to auto-create users and assign roles based on the claims in the JWT token, provided that the roles claimed in the JWT token are valid roles in Stardog. This is explained in more detail below, but see the Stardog Documentation for more information.
- Create App Registration
- Open Azure Portal (https://portal.azure.com)
- Navigate to Microsoft Entra ID > App registrations
- Click "New registration"
- Name application (e.g., "Stardog Development Endpoint")
- Select "Accounts in this organizational directory only"
- Click "Register"
- Configure Authentication
- Go to app's "Authentication"
- Add web platform redirect URI:
- Type: Web
- Redirect URI:
{BASE_URL}/auth/sso-connection - See
BASE_URLfor more information on what the value should.
- Generate Credentials
- Go to "Certificates & secrets"
- Click "New client secret"
- Set expiration - Copy secret value immediately - this is only shown while creating a secret. It cannot be retrieved later.
- Modify Manifest
- Go to "Manifest"
- Set
accessTokenAcceptedVersionto2
- Create and Assign App Roles
- Go to "App roles"
- Click "Create app role"
- Create roles that you want to assign to users connecting to the Stardog endpoint. These roles should match the roles in Stardog.
- Assign roles to users in the "Enterprise applications" section of the app registration
- Collect Configuration Values
- Client ID: Found in "Overview"
- Tenant ID: Found in "Overview"
- Client Secret: From Step 3.
SSO_CONNECTION_<unique-identifier>_AZURE_CLIENT_ID=<client_id>
SSO_CONNECTION_<unique-identifier>_AZURE_CLIENT_SECRET=<client>
SSO_CONNECTION_<unique-identifier>_AZURE_TENANT=<tenant_id>
SSO_CONNECTION_<unique-identifier>_AZURE_STARDOG_ENDPOINT=<stardog_endpoint> # optional
SSO_CONNECTION_<unique-identifier>_AZURE_DISPLAY_NAME=<user-facing-display-name> # optionalNote
If your tenant is in the Azure US Government Cloud, set SSO_CONNECTION_<unique-identifier>_AZURE_GOV_CLOUD_US=true.
-
Add the Microsoft Entra issuer entry to the Stardog endpoint's JWT configuration
- The JWT configuration for the Stardog server needs to be customized. To provide a configuration file for JWT configuration to Stardog, set the following property in the
stardog.propertiesfile:
jwt.conf=/path/to/jwt.yaml- The
jwt.yamlfile should contain the following configuration:
issuers: https://login.microsoftonline.com/<SSO_CONNECTION_$uid_AZURE_TENANT>/v2.0: usernameField: preferred_username audience: <AZURE_CLIENT_ID> algorithms: RS256: keyUrl: https://login.microsoftonline.com/<SSO_CONNECTION_$uid_AZURE_TENANT>/discovery/v2.0/keys autoCreateUsers: True rolesClaimPath: roles
https://login.microsoftonline.com/<SSO_CONNECTION_$uid_AZURE_TENANT>/v2.0is the issuer URL for Microsoft Entra. Replace<SSO_CONNECTION_$uid_AZURE_TENANT>with the tenant id of the Azure App Registration for the SSO connection.usernameFieldis the claim in the JWT token that contains the username of the user. This should be set topreferred_username.audienceis the client id of the Azure App Registration.algorithmsis the algorithm used to sign the JWT token. In this case, it isRS256. ThekeyUrlis the URL to the public key used to verify the JWT token.autoCreateUsersis set toTrueto allow Stardog to auto-create users based on therolesclaim in the JWT token.rolesClaimPathis the path to the claim in the JWT token that contains the app roles assigned to the user.
- The JWT configuration for the Stardog server needs to be customized. To provide a configuration file for JWT configuration to Stardog, set the following property in the
Note
If you are using Microsoft Entra in the Azure US Government Cloud, the issuer URL should be https://login.microsoftonline.us/<SSO_CONNECTION_$uid_AZURE_TENANT>/v2.0 and the keyUrl should be https://login.microsoftonline.us/<SSO_CONNECTION_$uid_AZURE_TENANT>/discovery/v2.0/keys.
-
Make sure to restart the Stardog server after making these changes.
-
Create the roles in Stardog that match the app roles in the Azure App Registration.
- This is required for Stardog to auto-create users and assign roles based on the claims in the JWT token.