Set up SSO (OIDC)
One OIDC provider in front of the dashboard: Okta, Entra ID, Google, Keycloak, or anything else that speaks OpenID Connect.
1. Register the app at your IdP
- Application type: Web, authorization code flow.
- Redirect URI:
{web_protocol}://{web_hostname}/api/v2/auth/oidc/callback - Scopes:
openid email profile.
2. Configure CamelMailer
camelmailer.yml
oidc: enabled: true name: Okta # the label on the login button issuer: https://acme.okta.com identifier: client-id secret: client-secret scopes: [openid, email, profile] auto_provision: true # create users on first login allowed_email_domains: [acme.com]
Restart the web role. The login page now shows “Sign in with Okta”; the flow starts at GET /api/v2/auth/oidc/start and hands the session back to auth.frontend_url.
3. Decide provisioning
auto_provision: truemeans anyone fromallowed_email_domainsgets an account on first login. Organization membership still comes from invitations.auto_provision: falsemeans SSO signs in existing accounts only; create them via invitations first.
Testing tips
- Test in a private window, because IdP session reuse hides half the flow.
- The auth audit log (
GET /api/v2/admin/auth_events) shows every attempt with its outcome, your first stop when a login loops. - Clock skew breaks token validation: make sure the host runs NTP.
SAML and SCIM are deliberate non-goals, so OIDC is the SSO path. Password login keeps working alongside SSO, so you can't lock yourself out while iterating.
