Single Sign-On lets your entire team authenticate with the identity provider your organization already uses — Okta, Azure AD, Google Workspace, Keycloak, Auth0, and any other SAML 2.0 or OIDC-compliant provider. Once SSO is configured, members can click Sign in with SSO on the Dokploy login page and be redirected to your IdP, eliminating the need to manage separate Dokploy passwords.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt
Use this file to discover all available pages before exploring further.
Requirements
- A valid Dokploy Enterprise license activated on the owner account (see Enterprise Overview).
- Dokploy must be reachable at a publicly accessible domain so your identity provider can redirect back after authentication.
- The SSO issuer URL must be added to the organization’s trusted origins before a provider can be created or updated.
Supported Protocols
Dokploy supports two SSO protocols via the better-auth SSO integration:SAML 2.0
Industry-standard XML-based federation. Requires an entry point URL, an X.509 certificate from your IdP, and an SP callback URL.
OpenID Connect (OIDC)
OAuth 2.0-based protocol. Requires a client ID, client secret, and your IdP’s discovery endpoint (well-known URL). PKCE is enabled by default.
Enabling SSO
Activate your Enterprise license
SSO endpoints use
enterpriseProcedure, which verifies that the organization’s owner has a valid license. Ensure licenseKey.haveValidLicenseKey returns true before proceeding.Add a trusted origin
Before registering any provider, add your IdP’s issuer URL as a trusted origin. This prevents unauthorized IdPs from being used to initiate authentication flows.Origins are normalized (scheme + host) before storage so
https://example.com/path and https://example.com resolve to the same entry.Register an SSO provider
Call A domain can only be registered with one provider at a time. Attempting to register a domain already claimed by another provider returns a
sso.register with your protocol-specific configuration. Each provider requires a unique providerId, the IdP issuer URL, and one or more email domains that will use this provider.- OIDC
- SAML
BAD_REQUEST error.Verify the sign-in button is visible
The
sso.showSignInWithSSO public endpoint returns true when at least one provider is configured and the owner’s license is valid. On Dokploy Cloud it always returns true.SSO Enforcement
sso.enforceSSO is a public query that returns true when the web server is configured to require SSO for all logins (password-based login is then blocked). On Dokploy Cloud this always returns false.
Managing Providers
List Providers — sso.listProviders
Returns all providers registered for the active organization, including their providerId, issuer, domain, and protocol-specific config objects.
Get a Single Provider — sso.one
NOT_FOUND if the provider does not belong to the active organization.
Update a Provider — sso.update
Accepts the same ssoProviderBodySchema as sso.register. If the issuer URL changes, the new issuer must already exist in the trusted origins list — the update is rejected otherwise.
Delete a Provider — sso.deleteProvider
Trusted Origins
Trusted origins control which identity provider URLs are permitted to initiate SSO flows. All mutations are available only to Enterprise users of the active organization.| Procedure | Type | Description |
|---|---|---|
sso.getTrustedOrigins | query | Returns the array of trusted origin strings for the organization. |
sso.addTrustedOrigin | mutation | Adds a new origin. Input: { origin: string }. No-op if the normalized origin already exists. |
sso.removeTrustedOrigin | mutation | Removes an origin. Input: { origin: string }. |
sso.updateTrustedOrigin | mutation | Replaces an existing origin. Input: { oldOrigin: string, newOrigin: string }. |
scheme://host before storage and comparison, so trailing slashes and paths are stripped automatically.
OIDC Configuration Reference
| Field | Required | Description |
|---|---|---|
clientId | ✅ | OAuth 2.0 client ID issued by your IdP. |
clientSecret | ✅ | OAuth 2.0 client secret issued by your IdP. |
discoveryEndpoint | Recommended | URL of the IdP’s /.well-known/openid-configuration document. When provided, endpoints are discovered automatically. |
authorizationEndpoint | Optional | Override the authorization endpoint (used when skipDiscovery: true). |
tokenEndpoint | Optional | Override the token endpoint. |
userInfoEndpoint | Optional | Override the user info endpoint. |
jwksEndpoint | Optional | Override the JWKS URI. |
tokenEndpointAuthentication | Optional | client_secret_post or client_secret_basic. Defaults to client_secret_post. |
scopes | Optional | Additional OAuth scopes to request (e.g. ["openid", "email", "profile"]). |
pkce | Optional | Enable PKCE (Proof Key for Code Exchange). Defaults to true. |
mapping | Optional | Attribute mapping: { id, email, name, emailVerified?, image?, extraFields? }. |
skipDiscovery | Optional | Set true to skip auto-discovery and supply all endpoints manually. |
SAML Configuration Reference
| Field | Required | Description |
|---|---|---|
entryPoint | ✅ | IdP SSO URL where SAML authentication requests are sent. |
cert | ✅ | Public X.509 certificate from your IdP (PEM format, without headers). |
callbackUrl | ✅ | Assertion Consumer Service (ACS) URL on your Dokploy instance (e.g. https://dokploy.yourcompany.com/api/auth/sso/callback). |
audience | Optional | Service provider entity ID / audience restriction. |
spMetadata | ✅ | Service provider metadata object (may be empty {}). Supports entityID, binding, privateKey, and assertion encryption fields. |
idpMetadata | Optional | Full IdP metadata if available from a federation metadata URL. Overrides individual fields. |
wantAssertionsSigned | Optional | Require signed assertions (recommended). |
authnRequestsSigned | Optional | Sign outgoing AuthnRequest messages. |
signatureAlgorithm | Optional | Override the default signature algorithm. |
mapping | Optional | Attribute mapping: { id, email, name, firstName?, lastName?, extraFields? }. |
On Dokploy Cloud,
sso.showSignInWithSSO always returns true and SSO is available to all organizations. For self-hosted installations, SSO requires an active Enterprise license.