From 11b6fd180f88e966c40eb1e34ab64b0a59013a47 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Sat, 31 Jan 2026 00:11:54 -0600 Subject: [PATCH 1/7] Add Enterprise documentation for SSO, audit logs, and whitelabeling features - Introduced new documentation files for Enterprise features including SSO with Auth0 and Keycloak, audit logs, license keys, and whitelabeling. - Updated the meta.json to include new sections for these features, enhancing the organization of the documentation. - This addition provides users with comprehensive guidance on configuring and utilizing Enterprise functionalities. --- .../docs/core/enterprise/audit-logs.mdx | 44 +++++++++++++++++ .../content/docs/core/enterprise/index.mdx | 21 ++++++++ .../docs/core/enterprise/license-keys.mdx | 23 +++++++++ .../docs/core/enterprise/sso/auth0.mdx | 44 +++++++++++++++++ .../docs/core/enterprise/sso/index.mdx | 15 ++++++ .../docs/core/enterprise/sso/keycloak.mdx | 48 +++++++++++++++++++ .../docs/core/enterprise/sso/meta.json | 7 +++ .../docs/core/enterprise/whitelabeling.mdx | 37 ++++++++++++++ apps/docs/content/docs/core/meta.json | 12 +++-- 9 files changed, 248 insertions(+), 3 deletions(-) create mode 100644 apps/docs/content/docs/core/enterprise/audit-logs.mdx create mode 100644 apps/docs/content/docs/core/enterprise/index.mdx create mode 100644 apps/docs/content/docs/core/enterprise/license-keys.mdx create mode 100644 apps/docs/content/docs/core/enterprise/sso/auth0.mdx create mode 100644 apps/docs/content/docs/core/enterprise/sso/index.mdx create mode 100644 apps/docs/content/docs/core/enterprise/sso/keycloak.mdx create mode 100644 apps/docs/content/docs/core/enterprise/sso/meta.json create mode 100644 apps/docs/content/docs/core/enterprise/whitelabeling.mdx diff --git a/apps/docs/content/docs/core/enterprise/audit-logs.mdx b/apps/docs/content/docs/core/enterprise/audit-logs.mdx new file mode 100644 index 00000000..9dbd9928 --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/audit-logs.mdx @@ -0,0 +1,44 @@ +--- +title: Audit logs +description: Track user actions and changes for compliance and security +--- + +## What is logged + +Typical events include: + +- **Authentication** — Logins, logouts, failed attempts, SSO redirects. +- **Users and access** — User creation, updates, deletion, role changes, invite/revoke. +- **Resources** — Creation, update, and deletion of projects, applications, compose stacks, databases, domains, environment variables, and similar resources. +- **Deployments** — Deploy triggers, rollbacks, and related actions. +- **Settings** — Changes to organization, security, and whitelabel settings (where applicable). + +Each entry usually includes: + +- **Timestamp** (UTC) +- **Actor** (user ID, email, or service account) +- **Action** (e.g. `user.login`, `application.create`, `compose.deploy`) +- **Resource** (type and identifier) +- **Details** (e.g. old/new values or reason, when relevant) +- **IP address** (when available) + +## Accessing audit logs + +1. Go to **Settings** → **Audit logs** (or **Organization** → **Audit logs** in Enterprise). +2. Use filters by date range, user, action type, or resource. +3. Export results (e.g. CSV or JSON) for external tools or compliance reviews. + +## Retention and storage + +- Retention period and storage backend (e.g. database, external logging) depend on your Enterprise agreement. +- Configure retention and any archiving according to your compliance and security policies. + +## Compliance + +Audit logs help support: + +- **SOC 2** — Evidence of access control and change management. +- **GDPR** — Documentation of access to and changes in personal data and configurations. +- **Internal policies** — Review of who changed what and when. + +For retention, export formats, or integration with your SIEM or log pipeline, [contact us](https://dokploy.com/contact). diff --git a/apps/docs/content/docs/core/enterprise/index.mdx b/apps/docs/content/docs/core/enterprise/index.mdx new file mode 100644 index 00000000..dea8d396 --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/index.mdx @@ -0,0 +1,21 @@ +--- +title: Introduction +description: Enterprise features for SSO, whitelabeling, and audit logs +--- + + +## What's included + +- **Single Sign-On (SSO)** — Integrate with Auth0, Keycloak, or other OIDC/SAML providers. +- **Whitelabeling** — Rebrand the UI with your logo, colors, and domain (self-hosted only). +- **Audit logs** — Track user actions and changes for compliance and security. + +More Enterprise features are on the way. [Contact us](https://dokploy.com/contact) if you want early access or have specific requirements. + +## Contact us + +For pricing and to enable Enterprise features on your instance, get in touch with our team: + +**[Contact us →](https://dokploy.com/contact)** + +We'll help you configure SSO, whitelabeling, and audit logs for your organization. diff --git a/apps/docs/content/docs/core/enterprise/license-keys.mdx b/apps/docs/content/docs/core/enterprise/license-keys.mdx new file mode 100644 index 00000000..e967526e --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/license-keys.mdx @@ -0,0 +1,23 @@ +--- +title: License Keys +description: Activate and manage your Enterprise license +--- + +To use Enterprise features (SSO, whitelabeling, audit logs, and more), you need a valid license issued by the Dokploy team. + +By default, all Dokploy instances run in the standard edition. If you are interested in switching to the Enterprise version, [contact us](https://dokploy.com/contact). Once you receive your license key, you can activate it in your instance. + +## Activating your license + +1. Go to **Settings** → **License** (or **Organization** → **License** in Enterprise). +2. Enter your license key and click **Activate**. + +Your instance will then have access to Enterprise features for the duration of the license. + +## How validation works + +- The license is validated **every day** against our servers to verify that it is still valid. +- The **only data** used for validation is the **IP address** of your server. We check it against our license server to confirm that the key is valid and active for that server. +- No other data is sent or stored for license validation. + +If your server’s IP changes, or you have questions about your license, [contact us](https://dokploy.com/contact). diff --git a/apps/docs/content/docs/core/enterprise/sso/auth0.mdx b/apps/docs/content/docs/core/enterprise/sso/auth0.mdx new file mode 100644 index 00000000..b9078cf4 --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/sso/auth0.mdx @@ -0,0 +1,44 @@ +--- +title: Auth0 +description: Configure SSO with Auth0 +--- + + +## 1. Create an application in Auth0 + +1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/). +2. Go to **Applications** → **Applications** → **Create Application**. +3. Choose **Regular Web Application** and create it. +4. Note your **Domain**, **Client ID**, and **Client Secret**. + +## 2. Configure Dokploy + +1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise). +2. Enable **SSO** and choose **OpenID Connect**. +3. Enter: + - **Provider**: myorg-name-auth0 (Unique) + - **Issuer URL**: `https://YOUR_AUTH0_DOMAIN/` (Make sure add the trailing slash) + - **Domain**: `your-domain.com` (Your domain) + - **Client ID**: from Auth0 application + - **Client Secret**: from Auth0 application + - **Scopes**: openid email profile +4. Save. + +## 3. Configure Auth0 + +1. In your application, go to **Settings**. +2. Set **Allowed Callback URLs** to your Dokploy URL, for example: + - `https://your-dokploy-domain.com/api/auth/callback/myorg-name-auth0` +3. Set **Allowed Logout URLs** to: + - `https://your-dokploy-domain.com` +4. Set **Allowed Origins** to: + - `https://your-dokploy-domain.com` +5. Save changes. + +## Troubleshooting + +- **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Auth0 (including protocol and path). +- **Invalid client** — Double-check Client ID and Client Secret, and that the application is a web application. +- **Scopes** — Ensure Auth0 is configured to return `openid` and, if required, `email` and `profile`. + +For help with your setup, [contact us](https://dokploy.com/contact). diff --git a/apps/docs/content/docs/core/enterprise/sso/index.mdx b/apps/docs/content/docs/core/enterprise/sso/index.mdx new file mode 100644 index 00000000..99c12f0d --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/sso/index.mdx @@ -0,0 +1,15 @@ +--- +title: Single Sign-On (SSO) +description: Configure SSO with Auth0, Keycloak, or other OIDC/SAML providers +--- + +# Single Sign-On (SSO) + +Enterprise supports Single Sign-On via OpenID Connect (OIDC) and SAML. You can use Auth0, Keycloak, or any compatible identity provider. + +Choose a provider below for step-by-step configuration: + +- **[Auth0](/docs/core/enterprise/sso/auth0)** — Cloud identity platform +- **[Keycloak](/docs/core/enterprise/sso/keycloak)** — Open-source identity and access management + +For other OIDC/SAML providers, use the same endpoints and flow; [contact us](https://dokploy.com/contact) if you need help. diff --git a/apps/docs/content/docs/core/enterprise/sso/keycloak.mdx b/apps/docs/content/docs/core/enterprise/sso/keycloak.mdx new file mode 100644 index 00000000..20b76d2a --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/sso/keycloak.mdx @@ -0,0 +1,48 @@ +--- +title: Keycloak +description: Configure SSO with Keycloak +--- + +## 1. Create a client in Keycloak + +1. Log in to your Keycloak Admin Console. +2. Select your realm (or create one). +3. Go to **Clients** → **Create client**. +4. Set **Client ID** (e.g. `my-client-id`) and **Client type** to **OpenID Connect**. +5. Set **Root URL** to your Dokploy base URL, e.g. `https://your-dokploy-domain.com`. +6. Save. +7. Open the client, set **Access type** to **confidential**, then open the **Credentials** tab and note the **Secret**. +8. From **Realm settings** → **OpenID Endpoint Configuration**, note the **Issuer** (e.g. `https://keycloak.example.com/realms/your-realm`). + +## 2. Configure Dokploy + +1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise). +2. Enable **SSO** and choose **OpenID Connect**. +3. Enter: + - **Provider**: my-client-id (Unique) + - **Issuer URL**: your Keycloak realm URL (e.g. `https://keycloak.example.com/realms/your-realm`) + - **Domain**: `your-domain.com` + - **Client ID**: my-client-id + - **Client Secret**: the secret from the Keycloak client Credentials tab + - **Scopes**: openid email profile +4. Save. + +## 3. Configure Keycloak + +1. In your Keycloak client, go to **Settings**. +2. Set **Valid redirect URIs** to your Dokploy callback URL, for example: + - `https://your-dokploy-domain.com/api/auth/callback/my-client-id` +3. Set **Valid post logout redirect URIs** to: + - `https://your-dokploy-domain.com` +4. Set **Allowed Origins** to: + - `https://your-dokploy-domain.com` +5. Save changes. + +## Troubleshooting + +- **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Keycloak (including protocol and path). Use the same **Provider** value in the path (e.g. `.../api/auth/callback/myorg-name-keycloak`). +- **Invalid client** — Double-check Client ID and Client Secret, and that the client is enabled and set to confidential access. +- **Scopes** — Ensure the client is configured to request `openid` and, if required, `email` and `profile`. +- **Attribute mapping** — If user email or name is missing, map Keycloak attributes (e.g. email, preferred_username) in Dokploy if your setup supports it. + +For help with your setup, [contact us](https://dokploy.com/contact). diff --git a/apps/docs/content/docs/core/enterprise/sso/meta.json b/apps/docs/content/docs/core/enterprise/sso/meta.json new file mode 100644 index 00000000..4104d0a2 --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/sso/meta.json @@ -0,0 +1,7 @@ +{ + "title": "SSO", + "pages": [ + "auth0", + "keycloak" + ] +} diff --git a/apps/docs/content/docs/core/enterprise/whitelabeling.mdx b/apps/docs/content/docs/core/enterprise/whitelabeling.mdx new file mode 100644 index 00000000..64c69b75 --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/whitelabeling.mdx @@ -0,0 +1,37 @@ +--- +title: Whitelabeling +description: Rebrand Dokploy with your logo, colors, and domain +--- + + +## What you can customize + +- **Logo** — Header and login logo. +- **Favicon** — Browser tab icon. +- **Colors** — Primary color and accent (e.g. buttons, links). +- **Custom domain** — Serve the app from your own domain (e.g. `deploy.yourcompany.com`). + +## Configuration + +Whitelabel settings are managed in the Enterprise admin area (or via environment variables, depending on your deployment). + +1. Go to **Settings** → **Whitelabel** (or equivalent in your Enterprise setup). +2. Upload your **logo** (recommended: SVG or PNG, transparent background). +3. Upload your **favicon** (e.g. ICO or PNG). +4. Set **primary color** and **accent color** (hex codes). +5. If using a custom domain, configure your reverse proxy (e.g. Traefik, Nginx) and DNS to point to your Dokploy instance, and set the **base URL** in Dokploy to match. + +## Custom domain + +1. Create a CNAME (or A) record pointing your domain to the server or load balancer where Dokploy runs. +2. Configure TLS (e.g. Let's Encrypt) on your reverse proxy for that hostname. +3. In Dokploy, set the **Application URL** (or equivalent) to `https://your-domain.com`. +4. Restart or reload Dokploy so it uses the new base URL for redirects and links. + +## Best practices + +- Use high-resolution logos (e.g. 2x) for sharp display on retina screens. +- Keep primary and accent colors accessible (sufficient contrast for text and buttons). +- Test login and main flows after changing logo and colors to ensure nothing is broken or hard to read. + +For help enabling or configuring whitelabeling, [contact us](https://dokploy.com/contact). diff --git a/apps/docs/content/docs/core/meta.json b/apps/docs/content/docs/core/meta.json index e38c9178..14a6fa6d 100644 --- a/apps/docs/content/docs/core/meta.json +++ b/apps/docs/content/docs/core/meta.json @@ -48,11 +48,17 @@ "remote-servers/deployments", "remote-servers/security", "remote-servers/validate", + "---Advanced---", + "cluster", + "---Enterprise---", + "enterprise/index", + "enterprise/license-keys", + "enterprise/sso", + "enterprise/whitelabeling", + "enterprise/audit-logs", "---Guides---", "guides/cloudflare-tunnels", "guides/tailscale", - "guides/ec2-instructions", - "---Advanced---", - "cluster" + "guides/ec2-instructions" ] } From d1f4f11a2391257ee62e5e05e5dfc5c5ade44b61 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Sat, 31 Jan 2026 18:31:22 -0600 Subject: [PATCH 2/7] Add Okta SSO documentation and update meta.json --- .../docs/core/enterprise/sso/meta.json | 3 +- .../content/docs/core/enterprise/sso/okta.mdx | 45 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 apps/docs/content/docs/core/enterprise/sso/okta.mdx diff --git a/apps/docs/content/docs/core/enterprise/sso/meta.json b/apps/docs/content/docs/core/enterprise/sso/meta.json index 4104d0a2..1b392982 100644 --- a/apps/docs/content/docs/core/enterprise/sso/meta.json +++ b/apps/docs/content/docs/core/enterprise/sso/meta.json @@ -2,6 +2,7 @@ "title": "SSO", "pages": [ "auth0", - "keycloak" + "keycloak", + "okta" ] } diff --git a/apps/docs/content/docs/core/enterprise/sso/okta.mdx b/apps/docs/content/docs/core/enterprise/sso/okta.mdx new file mode 100644 index 00000000..d172bf88 --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/sso/okta.mdx @@ -0,0 +1,45 @@ +--- +title: Okta +description: Configure SSO with Okta +--- + + +## 1. Create an application in Okta + +1. Log in to the [Okta Admin Console](https://login.okta.com/) (or your Okta domain). +2. Go to **Applications** → **Applications** → **Create App Integration**. +3. Choose **OIDC - OpenID Connect** and **Web Application**, then create it. +4. Note your **Client ID** and **Client Secret** (under **General** or **Client credentials**). +5. Note your Okta **domain** (e.g. `https://your-domain.okta.com`) and, if using a custom authorization server, its **issuer** (e.g. `https://your-domain.okta.com/oauth2/default`) or go to **Security** → **API** → **Authorization Servers** and note the **Issuer** (e.g. `https://your-domain.okta.com`). + +## 2. Configure Dokploy + +1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise). +2. Enable **SSO** and choose **OpenID Connect**. +3. Enter: + - **Provider**: myorg-name-okta (unique name for this provider) + - **Issuer URL**: your Okta issuer URL (e.g. `https://your-domain.okta.com` ) + - **Domain**: `your-domain.com` (your Dokploy domain) + - **Client ID**: from the Okta application + - **Client Secret**: from the Okta application + - **Scopes**: openid email profile +4. Save. + +## 3. Configure Okta + +1. In your Okta application, go to **General** (or **Sign-in** / **Assignments** as needed). +2. Set **Sign-in redirect URIs** to your Dokploy callback URL, for example: + - `https://your-dokploy-domain.com/api/auth/callback/myorg-name-okta` +3. Set **Sign-out redirect URIs** (optional) to: + - `https://your-dokploy-domain.com` +4. Under **Trusted Origins**, add your Dokploy URL as an origin (e.g. `https://your-dokploy-domain.com`) if required for CORS. +5. Save. + +## Troubleshooting + +- **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Okta (including protocol and path). Use the same **Provider** value in the path (e.g. `.../api/auth/callback/myorg-name-okta`). +- **Invalid client** — Double-check Client ID and Client Secret, and that the application is a Web Application with the correct grant types (e.g. Authorization Code). +- **Issuer URL** — Use the full issuer URL for your authorization server (e.g. `https://your-domain.okta.com`). +- **Scopes** — Ensure the Okta authorization server is configured to allow `openid`, and if needed `email` and `profile`. + +For help with your setup, [contact us](https://dokploy.com/contact). From 2ce0672dfec41ce77426e55ca52762a9a6e28c24 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Sat, 31 Jan 2026 22:49:12 -0600 Subject: [PATCH 3/7] Add Azure AD SSO documentation and update meta.json --- .../docs/core/enterprise/sso/azure.mdx | 46 +++++++++++++++++++ .../docs/core/enterprise/sso/meta.json | 1 + 2 files changed, 47 insertions(+) create mode 100644 apps/docs/content/docs/core/enterprise/sso/azure.mdx diff --git a/apps/docs/content/docs/core/enterprise/sso/azure.mdx b/apps/docs/content/docs/core/enterprise/sso/azure.mdx new file mode 100644 index 00000000..12b91247 --- /dev/null +++ b/apps/docs/content/docs/core/enterprise/sso/azure.mdx @@ -0,0 +1,46 @@ +--- +title: Azure AD (Microsoft Entra ID) +description: Configure SSO with Azure AD / Microsoft Entra ID +--- + + +## 1. Register an application in Azure + +1. Log in to the [Azure Portal](https://portal.azure.com/). +2. Go to **Microsoft Entra ID** (or **Azure Active Directory**) → **App registrations** → **New registration**. +3. Enter a **Name** (e.g. Dokploy), choose supported account types, and set **Redirect URI** to **Web** with a placeholder for now (e.g. `https://your-dokploy-domain.com/api/auth/callback/myorg-name-azure`). +4. Register and note the **Application (client) ID** and **Directory (tenant) ID**. +5. Go to **Certificates & secrets** → **New client secret**, create a secret and note its **Value** (you won’t see it again). +6. The **Issuer URL** for OpenID Connect is: `https://login.microsoftonline.com/{tenant-id}/v2.0` (replace `{tenant-id}` with your Directory (tenant) ID). Some setups expect a trailing slash. + +## 2. Configure Dokploy + +1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise). +2. Enable **SSO** and choose **OpenID Connect**. +3. Enter: + - **Provider**: myorg-name-azure (unique name for this provider) + - **Issuer URL**: `https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0` (use your Directory (tenant) ID; add a trailing slash if required for discovery) + - **Domain**: `your-domain.com` + - **Client ID**: the Application (client) ID from Azure + - **Client Secret**: the client secret value from Certificates & secrets + - **Scopes**: openid email profile +4. Save. + +## 3. Configure Azure + +1. In your app registration, go to **Authentication**. +2. Under **Web** → **Redirect URIs**, add: + - `https://your-dokploy-domain.com/api/auth/callback/myorg-name-azure` +3. Under **Front-channel logout URL** (optional), you can set: + - `https://your-dokploy-domain.com` +4. Go to **Token Configuration** and add optional claim, select **email**, **preferred_username** and **upn** from the list of claims. +5. Save. + +## Troubleshooting + +- **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Azure (including protocol and path). Use the same **Provider** value in the path (e.g. `.../api/auth/callback/myorg-name-azure`). +- **Invalid client** — Double-check Application (client) ID and client secret. Confirm the secret has not expired under **Certificates & secrets**. +- **Tenant** — Use the correct Directory (tenant) ID in the Issuer URL. For multi-tenant apps, you may use `common` instead of the tenant ID (e.g. `https://login.microsoftonline.com/common/v2.0`). +- **Scopes** — Ensure the app registration has the right API permissions (e.g. **OpenID permissions**, **User.Read**) if required for `openid`, `email`, and `profile`. + +For help with your setup, [contact us](https://dokploy.com/contact). diff --git a/apps/docs/content/docs/core/enterprise/sso/meta.json b/apps/docs/content/docs/core/enterprise/sso/meta.json index 1b392982..2a9074d0 100644 --- a/apps/docs/content/docs/core/enterprise/sso/meta.json +++ b/apps/docs/content/docs/core/enterprise/sso/meta.json @@ -2,6 +2,7 @@ "title": "SSO", "pages": [ "auth0", + "azure", "keycloak", "okta" ] From 5a7a9d15645795f13c8570a80073c7837e099bb9 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Sat, 31 Jan 2026 22:51:49 -0600 Subject: [PATCH 4/7] Update SSO documentation to include Azure AD and Okta, and clarify usage of other OIDC/SAML providers --- apps/docs/content/docs/core/enterprise/sso/index.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apps/docs/content/docs/core/enterprise/sso/index.mdx b/apps/docs/content/docs/core/enterprise/sso/index.mdx index 99c12f0d..45a52214 100644 --- a/apps/docs/content/docs/core/enterprise/sso/index.mdx +++ b/apps/docs/content/docs/core/enterprise/sso/index.mdx @@ -3,13 +3,15 @@ title: Single Sign-On (SSO) description: Configure SSO with Auth0, Keycloak, or other OIDC/SAML providers --- -# Single Sign-On (SSO) - Enterprise supports Single Sign-On via OpenID Connect (OIDC) and SAML. You can use Auth0, Keycloak, or any compatible identity provider. Choose a provider below for step-by-step configuration: - **[Auth0](/docs/core/enterprise/sso/auth0)** — Cloud identity platform +- **[Azure AD (Microsoft Entra ID)](/docs/core/enterprise/sso/azure)** — Microsoft's cloud identity platform +- **[Okta](/docs/core/enterprise/sso/okta)** — Cloud identity platform - **[Keycloak](/docs/core/enterprise/sso/keycloak)** — Open-source identity and access management +You can also use any other OIDC/SAML provider by configuring the endpoints and flow manually. + For other OIDC/SAML providers, use the same endpoints and flow; [contact us](https://dokploy.com/contact) if you need help. From ab1c76987da5f8f55240951a8c476c9a0c8c7e58 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Sun, 1 Feb 2026 19:07:16 -0600 Subject: [PATCH 5/7] Update SSO documentation for Auth0, Azure AD, Keycloak, and Okta to clarify domain usage and enhance troubleshooting sections for OIDC and SAML configurations. --- .../docs/core/enterprise/sso/auth0.mdx | 2 +- .../docs/core/enterprise/sso/azure.mdx | 48 +++++++++++++++++-- .../docs/core/enterprise/sso/keycloak.mdx | 2 +- .../content/docs/core/enterprise/sso/okta.mdx | 43 +++++++++++++++-- 4 files changed, 86 insertions(+), 9 deletions(-) diff --git a/apps/docs/content/docs/core/enterprise/sso/auth0.mdx b/apps/docs/content/docs/core/enterprise/sso/auth0.mdx index b9078cf4..d8ff2d1e 100644 --- a/apps/docs/content/docs/core/enterprise/sso/auth0.mdx +++ b/apps/docs/content/docs/core/enterprise/sso/auth0.mdx @@ -18,7 +18,7 @@ description: Configure SSO with Auth0 3. Enter: - **Provider**: myorg-name-auth0 (Unique) - **Issuer URL**: `https://YOUR_AUTH0_DOMAIN/` (Make sure add the trailing slash) - - **Domain**: `your-domain.com` (Your domain) + - **Domain**: the domain users use to authenticate via Auth0 (e.g. your organization domain like `acme.com`), not the Dokploy instance URL - **Client ID**: from Auth0 application - **Client Secret**: from Auth0 application - **Scopes**: openid email profile diff --git a/apps/docs/content/docs/core/enterprise/sso/azure.mdx b/apps/docs/content/docs/core/enterprise/sso/azure.mdx index 12b91247..de7df413 100644 --- a/apps/docs/content/docs/core/enterprise/sso/azure.mdx +++ b/apps/docs/content/docs/core/enterprise/sso/azure.mdx @@ -1,8 +1,10 @@ --- title: Azure AD (Microsoft Entra ID) -description: Configure SSO with Azure AD / Microsoft Entra ID +description: Configure SSO with Azure AD / Microsoft Entra ID (OIDC or SAML) --- + + ## 1. Register an application in Azure @@ -20,7 +22,7 @@ description: Configure SSO with Azure AD / Microsoft Entra ID 3. Enter: - **Provider**: myorg-name-azure (unique name for this provider) - **Issuer URL**: `https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0` (use your Directory (tenant) ID; add a trailing slash if required for discovery) - - **Domain**: `your-domain.com` + - **Domain**: the domain users use to authenticate via Azure AD (e.g. your organization domain like `acme.com`), not the Dokploy instance URL - **Client ID**: the Application (client) ID from Azure - **Client Secret**: the client secret value from Certificates & secrets - **Scopes**: openid email profile @@ -36,11 +38,51 @@ description: Configure SSO with Azure AD / Microsoft Entra ID 4. Go to **Token Configuration** and add optional claim, select **email**, **preferred_username** and **upn** from the list of claims. 5. Save. -## Troubleshooting +## Troubleshooting (OIDC) - **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Azure (including protocol and path). Use the same **Provider** value in the path (e.g. `.../api/auth/callback/myorg-name-azure`). - **Invalid client** — Double-check Application (client) ID and client secret. Confirm the secret has not expired under **Certificates & secrets**. - **Tenant** — Use the correct Directory (tenant) ID in the Issuer URL. For multi-tenant apps, you may use `common` instead of the tenant ID (e.g. `https://login.microsoftonline.com/common/v2.0`). - **Scopes** — Ensure the app registration has the right API permissions (e.g. **OpenID permissions**, **User.Read**) if required for `openid`, `email`, and `profile`. + + + +## 1. Create an Enterprise Application (SAML) in Azure + +1. Log in to the [Azure Portal](https://portal.azure.com/). +2. Go to **Microsoft Entra ID** → **Enterprise applications** → **New application** → **Create your own application** (or **Non-gallery application**). +3. Enter a **Name** (e.g. Dokploy) and create. +4. Go to **Single sign-on** → **SAML**. +5. Note the **Identifier (Entity ID)** and **Login URL** (SSO URL). Under **SAML Certificates**, download or copy the **Certificate (Base64)** (x509) and download the **Federation Metadata XML** file. + +## 2. Configure Dokploy + +1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise). +2. Enable **SSO** and choose **SAML**. +3. Enter: + - **Provider**: myorg-name-azure-saml (unique name for this provider) + - **Entity ID**: the Azure SAML Entity ID (Identifier) from the Enterprise application (eg. `https://sts.windows.net/YOUR_TENANT_ID/`). + - **SSO URL**: the Azure Login URL (Single Sign-On URL) (eg. `https://login.microsoftonline.com/YOUR_TENANT_ID/saml2`) + - **Certificate**: the IdP signing certificate (x509 Base64) from Azure + - **Federation Metadata XML**: the Federation Metadata XML file from Azure + - **Domain**: the domain users use to authenticate via Azure AD (e.g. your organization domain like `acme.com`), not the Dokploy instance URL +4. Save. + +## 3. Configure Azure (SAML) + +1. In your Enterprise application, go to **Single sign-on** → **SAML**. +2. Under **Basic SAML Configuration**, set **Identifier (Entity ID)** if required (SP Entity ID from Dokploy) (eg. `https://your-dokploy-instance.com`). +3. Set **Reply URL (Assertion Consumer Service URL)** to your Dokploy SAML ACS URL (eg. `https://your-dokploy-instance.com/api/auth/sso/saml2/callback/myorg-name-azure-saml`). +3. Save. + +## Troubleshooting (SAML) + +- **ACS URL mismatch** — Ensure the Reply URL (ACS) in Azure matches exactly what Dokploy provides (including protocol and path). +- **Certificate** — Use the Certificate (Base64) from Azure; paste as-is or convert to PEM if Dokploy expects PEM. +- **Entity ID** — The Entity ID in Dokploy must match the Identifier (Entity ID) of the Azure Enterprise application. + + + + For help with your setup, [contact us](https://dokploy.com/contact). diff --git a/apps/docs/content/docs/core/enterprise/sso/keycloak.mdx b/apps/docs/content/docs/core/enterprise/sso/keycloak.mdx index 20b76d2a..bb400532 100644 --- a/apps/docs/content/docs/core/enterprise/sso/keycloak.mdx +++ b/apps/docs/content/docs/core/enterprise/sso/keycloak.mdx @@ -21,7 +21,7 @@ description: Configure SSO with Keycloak 3. Enter: - **Provider**: my-client-id (Unique) - **Issuer URL**: your Keycloak realm URL (e.g. `https://keycloak.example.com/realms/your-realm`) - - **Domain**: `your-domain.com` + - **Domain**: the domain users use to authenticate via Keycloak (e.g. your organization domain like `acme.com`), not the Dokploy instance URL - **Client ID**: my-client-id - **Client Secret**: the secret from the Keycloak client Credentials tab - **Scopes**: openid email profile diff --git a/apps/docs/content/docs/core/enterprise/sso/okta.mdx b/apps/docs/content/docs/core/enterprise/sso/okta.mdx index d172bf88..517eb8a3 100644 --- a/apps/docs/content/docs/core/enterprise/sso/okta.mdx +++ b/apps/docs/content/docs/core/enterprise/sso/okta.mdx @@ -1,8 +1,10 @@ --- title: Okta -description: Configure SSO with Okta +description: Configure SSO with Okta (OIDC or SAML) --- + + ## 1. Create an application in Okta @@ -18,8 +20,8 @@ description: Configure SSO with Okta 2. Enable **SSO** and choose **OpenID Connect**. 3. Enter: - **Provider**: myorg-name-okta (unique name for this provider) - - **Issuer URL**: your Okta issuer URL (e.g. `https://your-domain.okta.com` ) - - **Domain**: `your-domain.com` (your Dokploy domain) + - **Issuer URL**: your Okta issuer URL (e.g. `https://your-domain.okta.com`) + - **Domain**: the domain users use to authenticate via Okta (e.g. your organization domain like `acme.com`), not the Dokploy instance URL - **Client ID**: from the Okta application - **Client Secret**: from the Okta application - **Scopes**: openid email profile @@ -35,11 +37,44 @@ description: Configure SSO with Okta 4. Under **Trusted Origins**, add your Dokploy URL as an origin (e.g. `https://your-dokploy-domain.com`) if required for CORS. 5. Save. -## Troubleshooting +## Troubleshooting (OIDC) - **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Okta (including protocol and path). Use the same **Provider** value in the path (e.g. `.../api/auth/callback/myorg-name-okta`). - **Invalid client** — Double-check Client ID and Client Secret, and that the application is a Web Application with the correct grant types (e.g. Authorization Code). - **Issuer URL** — Use the full issuer URL for your authorization server (e.g. `https://your-domain.okta.com`). - **Scopes** — Ensure the Okta authorization server is configured to allow `openid`, and if needed `email` and `profile`. + + + +## 1. Create a SAML application in Okta + +1. Log in to the [Okta Admin Console](https://login.okta.com/) (or your Okta domain). +2. Go to **Applications** → **Applications** → **Create App Integration**. +3. Choose **SAML 2.0** and create it. +4. Enter an **App name** (e.g. Dokploy). Under **Configure SAML**, in the Single sign-on URL field, set the SAML ACS URL (eg. `https://your-dokploy-instance.com/api/auth/sso/saml2/callback/myorg-name-okta-saml`) and in the Audience URI (SP Entity ID) field, set the SP Entity ID (eg. `https://your-dokploy-instance.com`). +5. Next & Save. + +## 2. Configure Dokploy + +1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise). +2. Enable **SSO** and choose **SAML**. +3. Enter: + - **Provider**: myorg-name-okta-saml (unique name for this provider) + - **Entity ID**: the Okta Identity Provider issuer (Entity ID) located in `Sign On` tab called `Issuer` (eg. `http://www.okta.com/exkzq3acyuEtIuNrW697`) + - **SSO URL**: the Okta Identity Provider single sign-on URL located in `Sign On` tab called `Single sign-on URL` (eg. `https://trial-2804699.okta.com/app/trial-2802699_something/exkzqi3cyuEtIuNrW697/sso/saml`) + - **Certificate**: go to `Signing Certificate` tab and download the certificate active (x509) and paste it in the `Certificate` field. + - **Federation Metadata XML**: copy the idp metadata XML from the certificate active and paste it in the `Metadata XML` field. + - **Domain**: the domain users use to authenticate via Okta (e.g. your organization domain like `acme.com`), not the Dokploy instance URL +4. Save. + +## Troubleshooting (SAML) + +- **ACS URL mismatch** — Ensure the Single sign-on URL (ACS) in Okta matches exactly what Dokploy provides (including protocol and path). +- **Certificate** — Use the x509 certificate from Okta’s IdP metadata (PEM or Base64); ensure it is the one used to sign assertions. +- **Entity ID** — The Entity ID in Dokploy must match the Identity Provider issuer in Okta. + + + + For help with your setup, [contact us](https://dokploy.com/contact). From 6fa1fb6405739ece395f1d8d004dfc97ed7f727a Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Sun, 1 Feb 2026 19:50:00 -0600 Subject: [PATCH 6/7] Enhance SSO documentation for Auth0 by adding SAML configuration details and troubleshooting sections. Update Azure and Okta documentation to replace 'Entity ID' with 'Issuer URL' for clarity. This improves user guidance for SSO setup across multiple providers. --- .../docs/core/enterprise/sso/auth0.mdx | 67 ++++++++++++++++++- .../docs/core/enterprise/sso/azure.mdx | 2 +- .../content/docs/core/enterprise/sso/okta.mdx | 2 +- 3 files changed, 67 insertions(+), 4 deletions(-) diff --git a/apps/docs/content/docs/core/enterprise/sso/auth0.mdx b/apps/docs/content/docs/core/enterprise/sso/auth0.mdx index d8ff2d1e..567693f2 100644 --- a/apps/docs/content/docs/core/enterprise/sso/auth0.mdx +++ b/apps/docs/content/docs/core/enterprise/sso/auth0.mdx @@ -1,8 +1,10 @@ --- title: Auth0 -description: Configure SSO with Auth0 +description: Configure SSO with Auth0 (OIDC or SAML) --- + + ## 1. Create an application in Auth0 @@ -35,10 +37,71 @@ description: Configure SSO with Auth0 - `https://your-dokploy-domain.com` 5. Save changes. -## Troubleshooting +## Troubleshooting (OIDC) - **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Auth0 (including protocol and path). - **Invalid client** — Double-check Client ID and Client Secret, and that the application is a web application. - **Scopes** — Ensure Auth0 is configured to return `openid` and, if required, `email` and `profile`. + + + +## 1. Create a SAML application in Auth0 + +1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/). +2. Go to **Applications** → **Applications** → **Create Application**. +3. Choose **Regular Web Application** and create it. +4. In the application, go to **Add Ons** → enable **SAML 2 Web App** and configure it, in the settings specify this callback URL: `https://your-dokploy-domain.com/api/auth/sso/saml2/callback/myorg-name-auth0-saml`. +5. Next & Save. + +## 2. Configure Dokploy + +1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise). +2. Enable **SSO** and choose **SAML**. +3. Enter: + - **Provider**: myorg-name-auth0-saml (unique name for this provider) + - **Issuer URL**: the Auth0 SAML Entity ID / Issuer located in `Add Ons` tab called `SAML 2 Web App` called `Entity ID` (e.g. `urn:auth0:your-tenant:your-app`) + - **SSO URL**: the Auth0 SAML Single Sign-On URL located in `Add Ons` tab called `SAML 2 Web App` called `Single Sign-On URL` (e.g. `https://dev-ladsadb.us.auth0.com/samlp/wgJe9bWmwhVnuAC7eNtyUsiou4b6wxuf`) + - **Certificate**: download the certificate active (x509) from the `Add Ons` tab called `SAML 2 Web App` called `Identity Provider Certificate` and paste it in the `Certificate` field. + - **Federation Metadata XML**: copy the Identity Provider Metadata XML from the certificate active and paste it in the `Metadata XML` field. + - **Domain**: the domain users use to authenticate via Auth0 (e.g. your organization domain like `acme.com`), not the Dokploy instance URL +4. Save. + +## 3. Configure Auth0 (SAML) + +1. In your Auth0 SAML application, set the **Application Callback URL** (ACS URL) to your Dokploy SAML ACS URL, for example: + - `https://your-dokploy-domain.com/api/auth/sso/saml2/callback/myorg-name-auth0-saml` +2. In the **SAML 2 Web App** add-on, open **Settings** and paste the following JSON in the **Settings** (Application Settings) field. Replace `https://your-dokploy-domain.com` with your Dokploy base URL and `myorg-name-auth0-saml` with the **exact same provider name** you entered in Dokploy in step 2 (the callback URL path must match), so Dokploy can read email, display name, and other attributes: + +```json +{ + "audience": "https://your-dokploy-domain.com/saml/metadata", + "recipient": "https://your-dokploy-domain.com/api/auth/sso/saml2/callback/myorg-name-auth0-saml", + "destination": "https://your-dokploy-domain.com/api/auth/sso/saml2/callback/myorg-name-auth0-saml", + "signResponse": true, + "signAssertion": true, + "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", + "nameIdentifierProbes": [ + "email" + ], + "mappings": { + "email": "email", + "displayName": "name", + "givenName": "given_name", + "surname": "family_name" + } +} +``` + +4. Save. + +## Troubleshooting (SAML) + +- **ACS URL mismatch** — Ensure the callback/ACS URL in Auth0 matches exactly what Dokploy provides (including protocol and path). +- **Certificate** — Use the full x509 certificate from Auth0 (PEM format); ensure no extra spaces or line breaks. +- **Entity ID** — The Entity ID in Dokploy must match the Issuer/Entity ID configured in Auth0. + + + + For help with your setup, [contact us](https://dokploy.com/contact). diff --git a/apps/docs/content/docs/core/enterprise/sso/azure.mdx b/apps/docs/content/docs/core/enterprise/sso/azure.mdx index de7df413..7f9175ee 100644 --- a/apps/docs/content/docs/core/enterprise/sso/azure.mdx +++ b/apps/docs/content/docs/core/enterprise/sso/azure.mdx @@ -62,7 +62,7 @@ description: Configure SSO with Azure AD / Microsoft Entra ID (OIDC or SAML) 2. Enable **SSO** and choose **SAML**. 3. Enter: - **Provider**: myorg-name-azure-saml (unique name for this provider) - - **Entity ID**: the Azure SAML Entity ID (Identifier) from the Enterprise application (eg. `https://sts.windows.net/YOUR_TENANT_ID/`). + - **Issuer URL**: the Azure SAML Entity ID (Identifier) from the Enterprise application (eg. `https://sts.windows.net/YOUR_TENANT_ID/`). - **SSO URL**: the Azure Login URL (Single Sign-On URL) (eg. `https://login.microsoftonline.com/YOUR_TENANT_ID/saml2`) - **Certificate**: the IdP signing certificate (x509 Base64) from Azure - **Federation Metadata XML**: the Federation Metadata XML file from Azure diff --git a/apps/docs/content/docs/core/enterprise/sso/okta.mdx b/apps/docs/content/docs/core/enterprise/sso/okta.mdx index 517eb8a3..94f90681 100644 --- a/apps/docs/content/docs/core/enterprise/sso/okta.mdx +++ b/apps/docs/content/docs/core/enterprise/sso/okta.mdx @@ -61,7 +61,7 @@ description: Configure SSO with Okta (OIDC or SAML) 2. Enable **SSO** and choose **SAML**. 3. Enter: - **Provider**: myorg-name-okta-saml (unique name for this provider) - - **Entity ID**: the Okta Identity Provider issuer (Entity ID) located in `Sign On` tab called `Issuer` (eg. `http://www.okta.com/exkzq3acyuEtIuNrW697`) + - **Issuer URL**: the Okta Identity Provider issuer (Entity ID) located in `Sign On` tab called `Issuer` (eg. `http://www.okta.com/exkzq3acyuEtIuNrW697`) - **SSO URL**: the Okta Identity Provider single sign-on URL located in `Sign On` tab called `Single sign-on URL` (eg. `https://trial-2804699.okta.com/app/trial-2802699_something/exkzqi3cyuEtIuNrW697/sso/saml`) - **Certificate**: go to `Signing Certificate` tab and download the certificate active (x509) and paste it in the `Certificate` field. - **Federation Metadata XML**: copy the idp metadata XML from the certificate active and paste it in the `Metadata XML` field. From 3e108f168e2456a63fe586c23bf54a41f8d7a647 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Tue, 10 Feb 2026 02:23:58 -0600 Subject: [PATCH 7/7] Add documentation for Audit Logs and Whitelabeling features - Introduced new files detailing the Audit Logs and Whitelabeling features for Enterprise users. - The Audit Logs section outlines logged events, access methods, retention policies, and compliance support. - The Whitelabeling section describes customization options, configuration steps, and best practices for branding the application. - These additions enhance the documentation by providing comprehensive guidance on key Enterprise functionalities. --- .../docs/core/enterprise/{audit-logs.mdx => audit-logs.txt} | 0 apps/docs/content/docs/core/enterprise/index.mdx | 4 ++-- .../core/enterprise/{whitelabeling.mdx => whitelabeling.txt} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename apps/docs/content/docs/core/enterprise/{audit-logs.mdx => audit-logs.txt} (100%) rename apps/docs/content/docs/core/enterprise/{whitelabeling.mdx => whitelabeling.txt} (100%) diff --git a/apps/docs/content/docs/core/enterprise/audit-logs.mdx b/apps/docs/content/docs/core/enterprise/audit-logs.txt similarity index 100% rename from apps/docs/content/docs/core/enterprise/audit-logs.mdx rename to apps/docs/content/docs/core/enterprise/audit-logs.txt diff --git a/apps/docs/content/docs/core/enterprise/index.mdx b/apps/docs/content/docs/core/enterprise/index.mdx index dea8d396..5dc94cef 100644 --- a/apps/docs/content/docs/core/enterprise/index.mdx +++ b/apps/docs/content/docs/core/enterprise/index.mdx @@ -7,8 +7,8 @@ description: Enterprise features for SSO, whitelabeling, and audit logs ## What's included - **Single Sign-On (SSO)** — Integrate with Auth0, Keycloak, or other OIDC/SAML providers. -- **Whitelabeling** — Rebrand the UI with your logo, colors, and domain (self-hosted only). -- **Audit logs** — Track user actions and changes for compliance and security. +{/* - **Whitelabeling** — Rebrand the UI with your logo, colors, and domain (self-hosted only) (). */} +{/* - **Audit logs** — Track user actions and changes for compliance and security. */} More Enterprise features are on the way. [Contact us](https://dokploy.com/contact) if you want early access or have specific requirements. diff --git a/apps/docs/content/docs/core/enterprise/whitelabeling.mdx b/apps/docs/content/docs/core/enterprise/whitelabeling.txt similarity index 100% rename from apps/docs/content/docs/core/enterprise/whitelabeling.mdx rename to apps/docs/content/docs/core/enterprise/whitelabeling.txt