Authenticate Users with Access Screens

Dec 20th 2025

If your users are already registered with an existing Identity Provider (OIDC protocol), they can leverage this access method to also have strong authentication to local nodes.

Prerequisites

Access screens rely on the secure OIDC protocol. One identity provider using this protocol (Microsoft Entra ID in this how-to) needs to be configured.

Access Gate must also be configured with:

Users are
TLS certificates
Interface 1 (eth0) must have WAN access. This interface is used by Access Gate to reach external OIDC services and authenticate users.
Create a DNS entry that points to the IP address of eth0 (often 100.65.0.6). This allows users to access the Access Screen form at a friendly URL, for example:

Creating a new screen

Under the “Access Screens” menu, use the “Create template” feature to create a new screen.

Click on the newly created entry, to access the text editor. This is a good place to remind users of the terms and conditions (policies) governing access to your network.

Back to the access screens list, copy the URL of the access screen just created. Share it with users who need to authenticate with Access Gate.

User Flow

A user opens their browser and visits https://trout-auth.{your-domain}/form_id=123
The Access Screen loads and the user accept the policy set for this access screen.
The user is redirect to Microsoft Entra ID authentication portal to authenticate.
Once approved, the user is redirected to the callback URL https://{your-domain}/access_authorize

Access is granted or denied based on the workflow outcome, and an audit trail is recorded.

If the request is approved, the user's IP is automatically added to the proxy and authorized for the duration specified in the access screen. This happens in the background. The user can then continue their normal workflow: connecting to applications, databases, and other services,... while the enclave access rules are fully enforced.