Single sign-on (OIDC & SAML 2.0)
Delegate authentication to your identity provider over OIDC or SAML 2.0 — Okta, Azure AD / Entra ID, Google Workspace, Keycloak, Auth0, ADFS, Ping. Users sign in with your IdP, MFA is enforced by the IdP, and roles map from group claims.
OIDC
.env
OIDC_ISSUER_URL=https://login.example.com
OIDC_CLIENT_ID=dpndncy
OIDC_CLIENT_SECRET=****
OIDC_SCOPES=openid email profile groupsThe login flow uses authorization-code with PKCE, and enforces state + nonce. The redirect URI is https://<console>/api/auth/oidc/callback.
SAML 2.0
.env
SAML_IDP_SSO_URL=https://idp.example.com/sso
SAML_IDP_CERT=/data/saml/idp.pem
SAML_SP_ENTITY_ID=https://dpndncy.example.comThe SP ACS URL is https://<console>/api/auth/saml/callback.
Provisioning & roles
- Auto-provisioning — users are created on first successful login.
- Group → role mapping — map IdP group claims to dpndncY roles (admin / analyst / viewer).
- MFA — delegated to your IdP; dpndncY honours whatever the IdP asserts.
Set COOKIE_SECURE + TRUST_PROXY behind TLS
Production SSO runs behind a TLS-terminating proxy — set those two flags so session cookies and redirects behave.