Skip to content
Shoehorn

3. First login

The platform is running. Now make sure you can sign in and that your account has admin permissions.

Open the UI

Section titled “Open the UI”

Browse to https://<your-domain>/ (whatever you set as domain in your install). You should be redirected to your identity provider’s sign-in page.

If TLS isn’t ready, finish ingress + cert setup before going further. Login goes through your IdP via OIDC, which only redirects to the registered HTTPS callback URL. There is no local-user fallback and a port-forward to http://localhost cannot complete the sign-in handshake.

Port-forward is still useful for poking at the API:

Terminal window
kubectl port-forward -n shoehorn svc/shoehorn-api 8080:8080
curl http://localhost:8080/healthz

Sign in

Section titled “Sign in”

Sign in through your IdP. After the OIDC handshake you land in the catalog. If you see the empty catalog page, sign-in worked.

If sign-in fails, the most likely cause is a redirect URI mismatch. Your IdP application must allow https://<your-domain>/auth/callback. See the Zitadel or Okta integration page for the exact values.

The initial admin

Section titled “The initial admin”

Set the first admin in the Helm values before install. Pick one of rbac.roleAssignment.tenantAdmin.user (a single email) or rbac.roleAssignment.tenantAdmin.group (a single IdP group name). The matching account gets the tenant:admin role on first sign-in, but only while no roles exist in the database yet.

rbac:
  roleAssignment:
    tenantAdmin:
      user: "platform@acme.com"
      # or by IdP group:
      # group: "shoehorn-admins"

If you forgot, helm upgrade with the value populated and sign back in. Bootstrap only fires while the roles table is empty, so set this before granting anyone else a role.

Set up roles for everyone else

Section titled “Set up roles for everyone else”

Once the initial admin is signed in, assign roles to the rest of the org from the UI or as code.

  • In the UI: go to Admin → RBAC → Group Mappings and map IdP groups to Shoehorn roles.
  • With Terraform (recommended for repeatable installs): use shoehorn_group_role_mapping. See Group mappings.

Token claims refresh at login, so anyone whose role changes needs to sign out and back in.

Check health

Section titled “Check health”
Terminal window
# API health
kubectl port-forward -n shoehorn svc/shoehorn-api 8080:8080 &
curl http://localhost:8080/healthz
# {"status":"ok"}


# Component readiness
kubectl get pods -n shoehorn

All services should be Ready. The crawler and worker pods may take an extra minute on first start while migrations run.

What you’ll do next

Section titled “What you’ll do next”

Get your first entity into the catalog →