dpndncY

Single sign-on (OIDC & SAML 2.0)

Delegate authentication to your identity provider over OIDC or SAML 2.0 — Okta, Azure AD / Entra ID, Google Workspace, Keycloak, Auth0, ADFS, Ping. Users sign in with your IdP, MFA is enforced by the IdP, and roles map from group claims.

OIDC

.env
OIDC_ISSUER_URL=https://login.example.com
OIDC_CLIENT_ID=dpndncy
OIDC_CLIENT_SECRET=****
OIDC_SCOPES=openid email profile groups

The login flow uses authorization-code with PKCE, and enforces state + nonce. The redirect URI is https://<console>/api/auth/oidc/callback.

SAML 2.0

.env
SAML_IDP_SSO_URL=https://idp.example.com/sso
SAML_IDP_CERT=/data/saml/idp.pem
SAML_SP_ENTITY_ID=https://dpndncy.example.com

The SP ACS URL is https://<console>/api/auth/saml/callback.

Provisioning & roles

  • Auto-provisioning — users are created on first successful login.
  • Group → role mapping — map IdP group claims to dpndncY roles (admin / analyst / viewer).
  • MFA — delegated to your IdP; dpndncY honours whatever the IdP asserts.
Set COOKIE_SECURE + TRUST_PROXY behind TLS
Production SSO runs behind a TLS-terminating proxy — set those two flags so session cookies and redirects behave.

See also