Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt

Use this file to discover all available pages before exploring further.

Single Sign-On lets your entire team authenticate with the identity provider your organization already uses — Okta, Azure AD, Google Workspace, Keycloak, Auth0, and any other SAML 2.0 or OIDC-compliant provider. Once SSO is configured, members can click Sign in with SSO on the Dokploy login page and be redirected to your IdP, eliminating the need to manage separate Dokploy passwords.

Requirements

  • A valid Dokploy Enterprise license activated on the owner account (see Enterprise Overview).
  • Dokploy must be reachable at a publicly accessible domain so your identity provider can redirect back after authentication.
  • The SSO issuer URL must be added to the organization’s trusted origins before a provider can be created or updated.

Supported Protocols

Dokploy supports two SSO protocols via the better-auth SSO integration:

SAML 2.0

Industry-standard XML-based federation. Requires an entry point URL, an X.509 certificate from your IdP, and an SP callback URL.

OpenID Connect (OIDC)

OAuth 2.0-based protocol. Requires a client ID, client secret, and your IdP’s discovery endpoint (well-known URL). PKCE is enabled by default.

Enabling SSO

1

Activate your Enterprise license

SSO endpoints use enterpriseProcedure, which verifies that the organization’s owner has a valid license. Ensure licenseKey.haveValidLicenseKey returns true before proceeding.
2

Add a trusted origin

Before registering any provider, add your IdP’s issuer URL as a trusted origin. This prevents unauthorized IdPs from being used to initiate authentication flows.
await trpc.sso.addTrustedOrigin.mutate({
  origin: "https://login.microsoftonline.com/your-tenant-id",
});
Origins are normalized (scheme + host) before storage so https://example.com/path and https://example.com resolve to the same entry.
3

Register an SSO provider

Call sso.register with your protocol-specific configuration. Each provider requires a unique providerId, the IdP issuer URL, and one or more email domains that will use this provider.
await trpc.sso.register.mutate({
  providerId: "google-workspace",
  issuer: "https://accounts.google.com",
  domains: ["yourcompany.com"],
  oidcConfig: {
    clientId: "YOUR_CLIENT_ID",
    clientSecret: "YOUR_CLIENT_SECRET",
    discoveryEndpoint:
      "https://accounts.google.com/.well-known/openid-configuration",
    pkce: true,
  },
});
A domain can only be registered with one provider at a time. Attempting to register a domain already claimed by another provider returns a BAD_REQUEST error.
4

Verify the sign-in button is visible

The sso.showSignInWithSSO public endpoint returns true when at least one provider is configured and the owner’s license is valid. On Dokploy Cloud it always returns true.
// Public — no authentication required
const showButton = await trpc.sso.showSignInWithSSO.query();
// true → "Sign in with SSO" button is displayed on the login page
5

Test the login flow

Open the Dokploy login page in a private/incognito window. Click Sign in with SSO, enter an email address whose domain matches your configured provider, and complete authentication in your IdP. On success you are redirected back to the Dokploy dashboard.

SSO Enforcement

sso.enforceSSO is a public query that returns true when the web server is configured to require SSO for all logins (password-based login is then blocked). On Dokploy Cloud this always returns false.
const enforced = await trpc.sso.enforceSSO.query();
When enforcement is active, users who attempt to sign in with a password are redirected to the SSO flow instead.

Managing Providers

List Providers — sso.listProviders

Returns all providers registered for the active organization, including their providerId, issuer, domain, and protocol-specific config objects.
const providers = await trpc.sso.listProviders.query();
// [{ providerId, issuer, domain, oidcConfig, samlConfig, organizationId }]

Get a Single Provider — sso.one

const provider = await trpc.sso.one.query({ providerId: "google-workspace" });
Returns NOT_FOUND if the provider does not belong to the active organization.

Update a Provider — sso.update

Accepts the same ssoProviderBodySchema as sso.register. If the issuer URL changes, the new issuer must already exist in the trusted origins list — the update is rejected otherwise.
await trpc.sso.update.mutate({
  providerId: "google-workspace",
  issuer: "https://accounts.google.com",
  domains: ["yourcompany.com", "subsidiary.com"],
  oidcConfig: {
    clientId: "NEW_CLIENT_ID",
    clientSecret: "NEW_CLIENT_SECRET",
    discoveryEndpoint:
      "https://accounts.google.com/.well-known/openid-configuration",
  },
});

Delete a Provider — sso.deleteProvider

await trpc.sso.deleteProvider.mutate({ providerId: "okta-saml" });
// { success: true }

Trusted Origins

Trusted origins control which identity provider URLs are permitted to initiate SSO flows. All mutations are available only to Enterprise users of the active organization.
ProcedureTypeDescription
sso.getTrustedOriginsqueryReturns the array of trusted origin strings for the organization.
sso.addTrustedOriginmutationAdds a new origin. Input: { origin: string }. No-op if the normalized origin already exists.
sso.removeTrustedOriginmutationRemoves an origin. Input: { origin: string }.
sso.updateTrustedOriginmutationReplaces an existing origin. Input: { oldOrigin: string, newOrigin: string }.
All origins are normalized to scheme://host before storage and comparison, so trailing slashes and paths are stripped automatically.

OIDC Configuration Reference

FieldRequiredDescription
clientIdOAuth 2.0 client ID issued by your IdP.
clientSecretOAuth 2.0 client secret issued by your IdP.
discoveryEndpointRecommendedURL of the IdP’s /.well-known/openid-configuration document. When provided, endpoints are discovered automatically.
authorizationEndpointOptionalOverride the authorization endpoint (used when skipDiscovery: true).
tokenEndpointOptionalOverride the token endpoint.
userInfoEndpointOptionalOverride the user info endpoint.
jwksEndpointOptionalOverride the JWKS URI.
tokenEndpointAuthenticationOptionalclient_secret_post or client_secret_basic. Defaults to client_secret_post.
scopesOptionalAdditional OAuth scopes to request (e.g. ["openid", "email", "profile"]).
pkceOptionalEnable PKCE (Proof Key for Code Exchange). Defaults to true.
mappingOptionalAttribute mapping: { id, email, name, emailVerified?, image?, extraFields? }.
skipDiscoveryOptionalSet true to skip auto-discovery and supply all endpoints manually.

SAML Configuration Reference

FieldRequiredDescription
entryPointIdP SSO URL where SAML authentication requests are sent.
certPublic X.509 certificate from your IdP (PEM format, without headers).
callbackUrlAssertion Consumer Service (ACS) URL on your Dokploy instance (e.g. https://dokploy.yourcompany.com/api/auth/sso/callback).
audienceOptionalService provider entity ID / audience restriction.
spMetadataService provider metadata object (may be empty {}). Supports entityID, binding, privateKey, and assertion encryption fields.
idpMetadataOptionalFull IdP metadata if available from a federation metadata URL. Overrides individual fields.
wantAssertionsSignedOptionalRequire signed assertions (recommended).
authnRequestsSignedOptionalSign outgoing AuthnRequest messages.
signatureAlgorithmOptionalOverride the default signature algorithm.
mappingOptionalAttribute mapping: { id, email, name, firstName?, lastName?, extraFields? }.
Always configure trusted origins before registering or updating providers. Failing to do so will cause provider updates that change the issuer URL to be rejected with a BAD_REQUEST error. Trusted origins are scoped to the organization owner — only the owner’s origins are checked.
On Dokploy Cloud, sso.showSignInWithSSO always returns true and SSO is available to all organizations. For self-hosted installations, SSO requires an active Enterprise license.

Build docs developers (and LLMs) love