SSO / OIDC
dockmesh supports OpenID Connect (OIDC) as its single sign-on protocol — covering essentially every modern identity provider. SSO is free, not a paid feature.
Configuring a provider
Section titled “Configuring a provider”Settings → Authentication → OIDC → Add provider
| Field | Example |
|---|---|
| Display name | Azure AD |
| Issuer URL | https://login.microsoftonline.com/<tenant-id>/v2.0 |
| Client ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Client secret | ••••••• |
| Scopes | openid profile email groups |
| Redirect URI | https://dockmesh.example.com/auth/oidc/callback (auto-filled) |
Click Test to run the discovery request against the issuer URL. dockmesh validates the well-known/openid-configuration endpoint before letting you save.
Tested providers
Section titled “Tested providers”| Provider | Issuer URL format | Group claim |
|---|---|---|
| Azure AD / Entra ID | https://login.microsoftonline.com/<tenant>/v2.0 | groups |
| Google Workspace | https://accounts.google.com | (emit via hosted-domain claim) |
| Okta | https://<org>.okta.com | groups |
| Keycloak | https://kc.example.com/realms/<realm> | groups or custom mapper |
| Authentik | https://authentik.example.com/application/o/<slug>/ | groups |
| GitHub (via dex) | https://dex.example.com | groups |
If your provider speaks OIDC and exposes a discovery document, it will work.
Group mapping
Section titled “Group mapping”Settings → Authentication → Group mappings maps an incoming claim value to a dockmesh role:
| Group claim | dockmesh role | Scope |
|---|---|---|
sre-team | Admin | all hosts |
dev-frontend | Operator | tag=team-frontend |
contractors | Viewer | all hosts |
On every login, the claim is re-evaluated — remove a user from an AD group and their permissions are revoked the next time they log in.
First user
Section titled “First user”On a fresh install, the first user to log in via any configured provider is automatically promoted to Admin (regardless of group mappings) to avoid locking yourself out. You can change this in Settings → Authentication → Bootstrap.
Local accounts
Section titled “Local accounts”OIDC and local username+password can coexist. Under Settings → Authentication → Local accounts you can disable local login entirely after SSO is set up, or keep a break-glass admin account for IdP outages.
See also
Section titled “See also”- RBAC & Roles — define the roles that group mappings reference
- Two-Factor Auth — still applies to local accounts even when SSO is enabled