OIDC / SSO Setup
O.D.I.N. supports Single Sign-On via OpenID Connect (OIDC). When SSO is configured, users can log in with their existing identity provider account. New users can be auto-provisioned on first login.
OIDC / SSO requires an Enterprise license.
Supported Providers
| Provider | Discovery URL Format | Notes |
|---|---|---|
| Keycloak | https://keycloak.example.com/realms/{realm} | Self-hosted, most common for on-premise installs |
| Authentik | https://auth.example.com/application/o/{slug}/ | Self-hosted, excellent for home labs |
| Google Workspace | https://accounts.google.com | Requires Google Cloud project + OAuth consent screen |
| Microsoft Entra ID | https://login.microsoftonline.com/{tenant-id}/v2.0 | Formerly Azure AD; supported since v1.3.67 |
| Generic OIDC | Any compliant discovery URL | Works with any provider exposing a .well-known/openid-configuration endpoint |
General Setup Steps
Step 1: Create an Application in Your IdP
- In your identity provider, create a new OAuth 2.0 / OIDC application
- Set the Redirect URI to:
https://your-odin-host/api/auth/oidc/callback - Note the Client ID, Client Secret, and Discovery URL
- Set the scopes:
openid profile email
Step 2: Configure O.D.I.N.
Navigate to Settings → Access → SSO / OIDC (admin only).
| Field | Description |
|---|---|
| Display Name | Label shown on the SSO button on the login page (e.g., "Log in with Keycloak") |
| Client ID | From your IdP application |
| Client Secret | From your IdP application (encrypted at rest) |
| Discovery URL | The IdP's OIDC discovery endpoint |
| Scopes | Space-separated scopes (default: openid profile email) |
| Auto-Create Users | If enabled, users logging in for the first time are auto-provisioned |
| Default Role | Role assigned to auto-created users (viewer, operator, admin) |
| Enabled | Toggle SSO on/off |
Step 3: Test the Login Flow
- Open a private/incognito browser window
- Go to the O.D.I.N. login page
- Click the SSO button (displayed with the Display Name you set)
- Complete authentication in your IdP
- Verify you are redirected back and logged in
O.D.I.N. Configuration Fields Reference
The OIDC configuration is stored in the oidc_config table:
| DB Column | Field | Description |
|---|---|---|
display_name | Display Name | SSO button label on login page |
client_id | Client ID | OAuth client identifier |
client_secret_encrypted | Client Secret | Fernet-encrypted client secret |
discovery_url | Discovery URL | OIDC well-known configuration URL |
scopes | Scopes | OAuth scopes requested |
auto_create_users | Auto-Create Users | Provision new users on first login |
default_role | Default Role | Role for auto-created users |
is_enabled | Enabled | Toggle SSO availability |
Reverse Proxy and Redirect URI
OIDC_REDIRECT_URI When Behind a Reverse ProxyWhen O.D.I.N. is accessed through a reverse proxy (nginx, Caddy, Traefik), the auto-detected redirect URI may resolve to an internal address (e.g., http://172.17.0.1/api/auth/oidc/callback) instead of your public domain. This causes the IdP's callback to fail.
Set the OIDC_REDIRECT_URI environment variable to pin the redirect URI explicitly:
# docker-compose.yml
environment:
OIDC_REDIRECT_URI: https://odin.example.com/api/auth/oidc/callback
This prevents Host-header injection and ensures the callback URL matches what you registered in the IdP. (Introduced in v1.3.67)
Keycloak Step-by-Step
- In Keycloak admin console, go to your realm → Clients → Create client
- Client type: OpenID Connect
- Client ID:
odin(or any name) - Enable Client authentication (confidential access type)
- Set Valid redirect URIs:
https://your-odin-host/api/auth/oidc/callback - Note the Client secret from the Credentials tab
- Discovery URL:
https://keycloak.example.com/realms/your-realm - Enter all values in O.D.I.N.'s OIDC settings
Authentik Step-by-Step
- In Authentik, go to Applications → Providers → Create → OAuth2/OpenID Provider
- Name:
odin - Authorization flow: your default authorization flow
- Redirect URIs:
https://your-odin-host/api/auth/oidc/callback - Copy the Client ID and Client Secret from the provider detail
- Discovery URL:
https://auth.example.com/application/o/odin/ - Create an Application pointing to this provider
- Enter values in O.D.I.N.'s OIDC settings
Role Mapping
OIDC users are assigned the Default Role on first login. Admins can change a user's role manually after initial provisioning under Settings → Access → Users.
There is no claim-based role mapping — roles are assigned within O.D.I.N. after the user is provisioned.
See Also
- Users & Access Control — role assignment after OIDC provisioning
- MFA / Two-Factor Authentication — MFA with OIDC (OIDC users bypass O.D.I.N. MFA; configure MFA in your IdP)
- Session Management — how OIDC sessions are tracked