Using public OpenID identity providers such as Google or GitHub to authenticate with Seqera Platform Enterprise is severely hampered by the inconvenient user management.

While a user access allow-list can be used to restrict access to specific email addresses or domains, this list is currently only configurable via environment variables or the tower.yml configuration file (https://docs.seqera.io/platform/24.1/enterprise/configuration/authentication#configure-user-access-allow-list)

As a result, any changes to the allowed users require administrative access to the server and a restart of the application. In large organizations like universities, the response times of central IT services are typically slow, making the onboarding of new users a process that can take weeks. For short-term users, such as interns or master’s students, gaining access is quite impractical or even impossible before their time at the organization ends.

Therefore, it would be beneficial for organization owners on the Seqera Platform to have the ability to manage the allow-list directly through the user interface.

Additionally, we have observed that the current allow-list functionality on the Seqera Platform can be too restrictive for users with multiple email addresses linked to their OpenID identity provider. For instance, we recently encountered a case where a user’s primary GitHub email was included in the allow-list, yet access was denied because their secondary email was not.

If changes to the allow-list could be made quickly via Seqera Platform's user interface, this issue could have been resolved promptly. However, the weeks-long delay in implementing a change made it particularly frustrating that a user, whose primary GitHub email was already on the allow-list, still could not authenticate.

Thank you for your understanding and implementation!