Single Sign-On (SSO)

Coolify supports Single Sign-On through OpenID Connect (OIDC). SSO is available in Coolify 4.2 and newer.

How SSO works in Coolify

Coolify acts as an OIDC client. Your identity provider authenticates the user, then redirects the browser back to Coolify with an authorization code. Coolify exchanges that code for tokens and uses the returned email address to sign the user in or create the user, depending on your settings.

Configure SSO in Coolify at:

https://<your-coolify-domain>/settings/oauth

For OpenID Connect, use this callback URL format:

https://<your-coolify-domain>/auth/oidc/callback

For example:

https://coolify.example.com/auth/oidc/callback

Okta example

Use this example when creating an Okta OIDC application for Coolify.

1. Create the Okta application

In the Okta Admin Console:

1. Go to Applications.
2. Click Create App Integration.
3. Select OIDC - OpenID Connect as the sign-in method.
4. Select Web Application as the application type.
5. Set the app name to Coolify.
6. Add your Coolify callback URL to Sign-in redirect URIs:

https://coolify.example.com/auth/oidc/callback

7. Assign the application to the users or groups that should access Coolify.
8. Save the application.
9. Copy the Client ID and Client Secret.

2. Configure Coolify

Go to Settings → Authentication in Coolify, then configure the OpenID Connect provider.

Replace example.okta.com and coolify.example.com with your real Okta and Coolify domains.

Issuer URL

For most Okta setups, the issuer URL is your Okta domain:

https://example.okta.com

If you use a custom Okta authorization server, use that issuer instead:

https://example.okta.com/oauth2/<authorization-server-id>

Coolify uses this issuer URL to discover the OIDC authorization, token, userinfo, and JWKS endpoints.

Scopes

Use these scopes for Okta:

openid email profile groups

The openid scope is required. The email scope is required so Coolify can identify the user by email. The profile scope provides user profile fields. The groups scope is optional, but useful if your Okta authorization server is configured to include group claims.

Registration behavior

Coolify can sign in existing users through OIDC. New-user creation depends on your registration settings.

• Enable Allow OIDC user creation if users who authenticate with Okta should be created in Coolify automatically.
• Disable it if you want administrators to create Coolify users before they can sign in with Okta.
• Enable Disable password registration when OAuth is enabled if you want users to register only through configured SSO providers.

Troubleshooting

Okta says the redirect URI is invalid

Check that the Okta Sign-in redirect URI exactly matches the Coolify Redirect URI:

https://coolify.example.com/auth/oidc/callback

Common mismatches include http vs https, a different domain, a trailing slash, or using /auth/okta/callback instead of /auth/oidc/callback.

Coolify says the provider is incomplete

Make sure the OpenID Connect provider has these fields filled in:

• Client ID
• Client Secret
• Issuer URL
• Redirect URI
• Scopes including openid

Login fails because no email is returned

Make sure the Coolify scopes include email and your Okta application or authorization server returns the user's email claim.

Login fails because email is not verified

If Require verified email is enabled, Okta must return email_verified: true. Either verify the user's email in Okta or disable Require verified email in Coolify.

Login fails after a successful Okta sign-in

Check these values first:

• The Okta issuer URL is correct.
• The user is assigned to the Okta application.
• The Coolify server time is accurate.
• Clock Skew (seconds) is at least 60.
• The Coolify URL configured in Okta uses the public URL users actually visit.

More information

• Okta: Create OpenID Connect app integrations
• Okta: Sign users in to your web app using the redirect model