Version: main 🚧

disable-local-admin

title: Disable the local admin account after SSO setup sidebar_label: Disable Local Admin sidebar_position: 6 description: Learn how to secure vCluster Platform by disabling the local admin account after configuring SSO authentication.

After configuring single sign-on (SSO) for vCluster Platform, disabling the local admin account is a recommended security practice for enterprise environments. This prevents unauthorized access through the default credentials and ensures all authentication flows through your identity provider.

Prerequisites

Before disabling the local admin account:

SSO is configured and tested successfully
At least one SSO user has global admin permissions
You have verified SSO login works with the expected permissions
You have kubectl access to the cluster running vCluster Platform

Verify SSO access first

Ensure you can log in via SSO with global admin permissions before disabling the local admin. Locking yourself out requires recovery steps.

Disable the admin account

There are two steps to fully disable the local admin:

Lock the admin user in the UI
Prevent the admin from being recreated on upgrades

Lock the admin user

Log in to vCluster Platform using your SSO credentials with global admin permissions.
Select the Users field on the left menu bar.
In the admin user row, hover over the blue drop down arrow and select Lock User from the menu options.

The admin account is now locked. The user cannot log in and any access keys generated for the admin will stop working.

Prevent admin recreation

To prevent the admin account from being recreated during upgrades, update your Helm values:

vcluster-platform-values.yaml
admin:
  create: false

Apply the configuration:

helm upgrade vcluster-platform loft/vcluster-platform \
  --namespace vcluster-platform \
  --values vcluster-platform-values.yaml \
  --reuse-values

note

If you previously had admin credentials in your values file, remove them after locking the account. Leaving stale credentials in configuration files is a security risk.

Recovery

If SSO becomes unavailable and you need to regain access:

Re-enable password authentication if it was disabled. Run the following command to generate a new configuration with password login enabled:
```
kubectl get secrets/loft-manager-config -n vcluster-platform \
  -o jsonpath="{.data.config}" | base64 -d | \
  yq "del(.auth.password.disabled)" | base64
```
Copy the output, then edit the secret:
```
kubectl edit secret loft-manager-config -n vcluster-platform
```
Replace .data.config with the new value and restart the vCluster Platform pods.

Reset the admin password using kubectl. See Reset Admin Password for detailed instructions.

Unlock the admin user:
- Log in with the reset password
- Navigate to Users
- Select Unlock User from the admin user's dropdown menu

After regaining access, investigate the SSO issue, and fix it before re-locking the admin account.

title: Disable the local admin account after SSO setup sidebar_label: Disable Local Admin sidebar_position: 6 description: Learn how to secure vCluster Platform by disabling the local admin account after configuring SSO authentication.​

Prerequisites​

Disable the admin account​

Lock the admin user​

Prevent admin recreation​

Recovery​