LogoLogo
Log in|Playground
  • Welcome
    • Introduction
    • FAQ
  • Capabilities
    • Log Management
    • Infrastructure Monitoring
    • Application Performance Monitoring (APM)
      • Application Metrics
      • Traces
      • Supported Technologies
    • Real User Monitoring (RUM)
  • Getting Started
    • Requirements
      • Kubernetes requirements
      • Kernel requirements for eBPF sensor
      • CPU architectures
      • ClickHouse resources
    • Installation & updating
    • Connect Linux hosts
    • Connect RUM
    • 5 quick steps to get you started
    • groundcover MCP
      • Configure groundcover's MCP Server
      • Getting-started Prompts
      • Real-world Use Cases
  • Use groundcover
    • Monitors
      • Create a new Monitor
      • Issues page
      • Monitor List page
      • Silences page
      • Monitor Catalog page
      • Monitor YAML structure
      • Embedded Grafana Alerts
        • Create a Grafana alert
    • Dashboards
      • Create a dashboard
      • Embedded Grafana Dashboards
        • Create a Grafana dashboard
        • Build alerts & dashboards with Grafana Terraform provider
        • Using groundcover datasources in a Self-hosted Grafana
    • Insights
    • Explore & Monitors query builder
    • Workflows
      • Create a new Workflow
      • Workflow Examples
      • Alert Structure
    • Search & Filter
    • Issues
    • Role-Based Access Control (RBAC)
    • Service Accounts
    • API Keys
    • APIs
    • Log Patterns
    • Drilldown
    • Scraping custom metrics
      • Operator based metrics
      • kube-state-metrics
      • cadvisor metrics
    • Backup & Restore Metrics
    • Metrics & Labels
    • Add custom environment labels
    • Configuring Pipelines
      • Writing Remap Transforms
      • Logs Pipeline Examples
      • Traces Pipeline Examples
      • Logs to Events Pipeline Examples
      • Logs/Traces Sensitive Data Obfuscation
      • Sensitive Data Obfuscation using OTTL
      • Log Filtering using OTTL
    • Querying your groundcover data
      • Query your logs
        • Example queries
        • Logs alerting
      • Query your metrics
      • Querying you data using an API
      • Using KEDA autoscaler with groundcover
  • Log Parsing with OpenTelemetry Pipelines
  • Log and Trace Correlation
  • RUM
  • Customization
    • Customize deployment
      • Agents in host network mode
      • API Key Secret
      • Argo CD
      • On-premise deployment
      • Quay.io registry
      • Configuring sensor deployment coverage
      • Enabling SSL Tracing in Java Applications
    • Customize usage
      • Filtering Kubernetes entities
      • Custom data retention
      • Sensitive data obfuscation
      • Custom storage
      • Custom logs collection
      • Custom labels and annotations
        • Enrich logs and traces with pod labels & annotations
        • Enrich metrics with node labels
      • Disable tracing for specific protocols
      • Tuning resources
      • Controlling the eBPF sampling mechanism
  • Integrations
    • Overview
    • Workflow Integrations
      • Slack Webhook Integration
      • Opsgenie Integration
      • Webhook Integration
        • Incident.io
      • PagerDuty Integration
      • Jira Webhook Integration
      • Send groundcover Alerts to Email via Zapier
    • Data sources
      • OpenTelemetry
        • Traces & Logs
        • Metrics
      • Istio
      • AWS
        • Ingest CloudWatch Metrics
        • Ingest CloudWatch Logs
        • Ingest Logs Stored on S3
        • Integrate CloudWatch Grafana Datasource
      • GCP
        • Ingest Google Cloud Monitoring Metrics
        • Stream Logs using Pub/Sub
        • Integrate Google Cloud Monitoring Grafana Datasource
      • Azure
        • Ingest Azure Monitor Metrics
      • DataDog
        • Traces
        • Metrics
      • FluentBit
      • Fluentd
      • JSON Logs
    • 3rd-party metrics
      • ActiveMQ
      • Aerospike
      • Cassandra
      • CloudFlare
      • Consul
      • CoreDNS
      • Etcd
      • HAProxy
      • Harbor
      • JMeter
      • K6
      • Loki
      • Nginx
      • Pi-hole
      • Postfix
      • RabbitMQ
      • Redpanda
      • SNMP
      • Solr
      • Tomcat
      • Traefik
      • Varnish
      • Vertica
      • Zabbix
    • Source control (Gitlab/Github)
  • Architecture
    • Overview
    • inCloud Managed
      • Setup inCloud Managed with AWS
        • AWS PrivateLink Setup
        • EKS add-on
      • Setup inCloud Managed with GCP
      • Setup inCloud Managed with Azure
      • High Availability
      • Disaster Recovery
      • Ingestion Endpoints
      • Deploying in Sensor-Only mode
    • Security considerations
      • Okta SSO - onboarding
    • Service endpoints inside the cluster
  • Product Updates
    • What's new?
    • Earlier updates
      • 2025
        • Mar 2025
        • Feb 2025
        • Jan 2025
      • 2024
        • Dec 2024
        • Nov 2024
        • Oct 2024
        • Sep 2024
        • Aug 2024
        • July 2024
        • May 2024
        • Apr 2024
        • Mar 2024
        • Feb 2024
        • Jan 2024
      • 2023
        • Dec 2023
        • Nov 2023
        • Oct 2023
Powered by GitBook
On this page
  • Data Privacy
  • Single Sign-On (SSO) Support with OIDC and SAML
  • OIDC
  • SAML
Export as PDF
  1. Architecture

Security considerations

Last updated 11 months ago

Data Privacy

groundcover’s architecture is built with privacy as one of its primary drivers. All data that groundcover collects is stored in-cluster, inside your environment. Our default deployment is built in a way that ensures no data ever leaves your cluster, and that remains the case forever. See our section for more details.

When someone from your company enters the groundcover UI, a secure encrypted data tunnel will enable the movement of data to the UI, such that the user will be able to access and visualize the data. No data that is passed to the UI is persisted on groundcover's side. This architecture ensures that groundcover is, and remains, as privacy-focused as possible.

Single Sign-On (SSO) Support with OIDC and SAML

SSO support is an exclusive feature available in our . Implementing SSO requires coordinated actions between groundcover and your team. To initiate the process, please contact us through to ensure seamless communication and successful setup.

groundcover offers robust support for Single Sign-On (SSO) through both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML), to ensure seamless and secure access to our platform by integrating with your existing identity provider (IdP).

OIDC

Built on the OAuth 2.0 framework, is a modern authentication protocol that uses JSON Web Tokens (JWTs) to transfer user information between parties. It is particularly well-suited for modern web applications, mobile apps, and APIs due to its lightweight, RESTful approach and ease of integration with JSON-based environments.

groundcover supports any IdP that uses OIDC, including:

SAML

SAML is an older, XML-based protocol that was designed for enterprise-level security and is widely used for federating identity across disparate systems. SAML is ideal for single sign-on in legacy enterprise applications and environments where XML is already in use, providing robust support for complex organizational requirements and integrations.

groundcover supports any IdP that uses SAML, including:

The full list of available SSO providers is too long to display. Any SSO provider that uses OIDC and/or SAML can be supported by groundcover. Full implementation guides for the most popular SSO providers for each protocol will be published soon.

Okta

OneLogin

JumpCloud

PingIdentity

CyberArk Identity

Microsoft Azure AD (Active Directory)

Auth0

Frontegg

WorkOS

SecureAuth

OneLogin

Auth0

Microsoft Azure AD (Active Directory)

PingIdentity

Google Identity Platform

Amazon Cognito

IBM Security Verify

Architecture
enterprise plan
Slack
OIDC

Okta