SSO / OIDC

Configure Single Sign-On with OpenID Connect providers.

Overview

DBackup supports SSO authentication via OIDC (OpenID Connect):

Centralized authentication
Enterprise identity providers
Automatic user provisioning
Domain-based routing

Supported Providers

Provider	Type	Adapter
Authentik	Self-hosted	Pre-configured
Keycloak	Self-hosted	Pre-configured
PocketID	Self-hosted	Pre-configured
Generic	Any OIDC	Manual configuration

Pre-configured adapters automatically generate endpoints from a base URL or discovery.

Adding an SSO Provider

Step 1: Configure Your Identity Provider

Create an OIDC application in your identity provider:

Required settings:

Redirect URI: https://your-dbackup-url/api/auth/callback/{provider-id}
Grant type: Authorization Code
Scopes: openid, profile, email

Obtain:

Client ID
Client Secret

Step 2: Add Provider in DBackup

Go to Settings → SSO Providers
Click Add Provider
Select adapter type (Authentik, PocketID, Keycloak or Generic)
Fill in configuration
Click Test to verify
Save

Provider Configuration

Authentik

Authentik is a popular self-hosted identity provider.

Configuration:

Field	Description	Example
Name	Display name	"Corporate Login"
Base URL	Authentik instance URL	`https://auth.example.com`
Client ID	From Authentik app	`dbackup-client`
Client Secret	From Authentik app	`secret-key`

Endpoints are auto-generated:

Authorization: {baseUrl}/application/o/authorize/
Token: {baseUrl}/application/o/token/
UserInfo: {baseUrl}/application/o/userinfo/

Keycloak

Keycloak is an enterprise-grade open-source identity and access management solution.

Configuration:

Field	Description	Example
Name	Display name	"Company SSO"
Keycloak URL	Keycloak instance base URL	`https://auth.company.com`
Realm Name	Authentication realm	`master`
Client ID	From Keycloak client	`dbackup-client`
Client Secret	From Keycloak client	`secret-key`

Notes:

Endpoints discovered via OIDC Discovery (.well-known/openid-configuration)
Supports both modern (Quarkus) and legacy versions
For Keycloak < 18: Include /auth in base URL (e.g., https://auth.company.com/auth)

PocketID

PocketID is a lightweight OIDC provider.

Configuration:

Field	Description	Example
Name	Display name	"PocketID"
Base URL	PocketID instance URL	`https://pocketid.example.com`
Client ID	From PocketID	`client-id`
Client Secret	From PocketID	`secret`

Generic OIDC

For any OIDC-compliant provider (Keycloak, Okta, Azure AD, etc.).

Configuration:

Field	Description
Name	Display name
Issuer	OIDC issuer URL
Authorization URL	OAuth authorize endpoint
Token URL	OAuth token endpoint
UserInfo URL	OIDC userinfo endpoint
Client ID	Application client ID
Client Secret	Application client secret

User Flow

New Users (Auto-Provisioning)

When SSO user first logs in:

Redirect to identity provider
User authenticates
Returns to DBackup with tokens
New user account created
No permissions by default (must be assigned to group)

Existing Users (Account Linking)

If email matches existing account:

Accounts are linked
User can login via SSO or password
Permissions are preserved

Domain Mapping

Route users to specific SSO provider by email domain:

Edit SSO provider
Set Email Domain: company.com
Users with @company.com email see this provider

Multiple domains: separate with commas

company.com, subsidiary.com

When SSO providers are configured:

"Sign in with [Provider]" buttons appear
Users can choose SSO or password login
Domain-matched users may auto-redirect

Security Considerations

Token Storage

Access tokens stored in session
Refresh handled automatically
No tokens stored in database

Permissions

SSO users follow same permission model:

Assigned to groups
Inherit group permissions
No special SSO permissions

Credential Encryption

Client secrets are encrypted:

Stored encrypted in database
Uses ENCRYPTION_KEY
Never exposed in logs

Best Practices

Provider Setup

Use dedicated OAuth app for DBackup
Limit scopes to minimum needed
Set appropriate token lifetimes
Configure redirect URIs exactly

User Management

Default group for new SSO users
Regular access reviews
Disable unused providers
Document domain mappings

High Availability

Provider availability affects login
Keep password fallback for admins
Monitor SSO health

Troubleshooting

Cause: Redirect URI mismatch

Solution:

Check redirect URI in identity provider
Must exactly match: https://your-domain/api/auth/callback/{provider-id}
Include trailing slash if configured

"User Not Found" After SSO

Cause: Auto-provisioning issue

Check:

Email claim is returned
User created in database
Group assignment

Token Expired Errors

Cause: Session or refresh token expired

Solution:

Re-authenticate
Check token lifetimes in IdP
Verify clock sync

Can't Connect to Provider

Check:

Network connectivity
DNS resolution
Firewall rules
SSL certificates

Provider-Specific Guides

Keycloak Setup (Pre-configured Adapter)

If using the Keycloak adapter (recommended):

In Keycloak admin console, select your realm
Go to Clients → Create client
Configure:
- Client type: OpenID Connect
- Client ID: dbackup
- Client authentication: On
Set Valid redirect URIs: https://dbackup.example.com/*
Save and go to Credentials tab
Copy Client secret
In DBackup:
- Select Keycloak adapter
- Base URL: https://auth.company.com (or https://auth.company.com/auth for legacy versions)
- Realm: Your realm name (e.g., master)
- Client ID & Secret from Keycloak

Keycloak Setup (Generic Adapter)

If you prefer manual configuration:

Create realm or use existing
Create client:
- Client type: OpenID Connect
- Client authentication: On
- Valid redirect URIs: https://dbackup.example.com/*
Note client ID and secret

Use Generic adapter with:

Issuer: https://keycloak.example.com/realms/your-realm
Auth URL: {issuer}/protocol/openid-connect/auth
Token URL: {issuer}/protocol/openid-connect/token
UserInfo: {issuer}/protocol/openid-connect/userinfo

Azure AD Setup

Register application in Azure Portal
Configure:
- Redirect URI: https://dbackup.example.com/api/auth/callback/azure
- Implicit grant: ID tokens
Create client secret

Use Generic adapter with:

Issuer: https://login.microsoftonline.com/{tenant-id}/v2.0

Google Workspace

Create OAuth 2.0 credentials in Google Cloud
Configure consent screen
Add redirect URI
Use Generic adapter

Next Steps

User Management - Manage user accounts
Groups & Permissions - Configure access

SSO / OIDC ​

Overview ​

Supported Providers ​

Adding an SSO Provider ​

Step 1: Configure Your Identity Provider ​

Step 2: Add Provider in DBackup ​

Provider Configuration ​

Authentik ​

Keycloak ​

PocketID ​

Generic OIDC ​

User Flow ​

New Users (Auto-Provisioning) ​

Existing Users (Account Linking) ​

Domain Mapping ​

Login Page Behavior ​

Security Considerations ​

Token Storage ​

Permissions ​

Credential Encryption ​

Best Practices ​

Provider Setup ​

User Management ​

High Availability ​

Troubleshooting ​

Login Fails with "Invalid Callback" ​

"User Not Found" After SSO ​

Token Expired Errors ​

Can't Connect to Provider ​

Provider-Specific Guides ​

Keycloak Setup (Pre-configured Adapter) ​

Keycloak Setup (Generic Adapter) ​

Azure AD Setup ​

Google Workspace ​

Next Steps ​

SSO / OIDC

Overview

Supported Providers

Adding an SSO Provider

Step 1: Configure Your Identity Provider

Step 2: Add Provider in DBackup

Provider Configuration

Authentik

Keycloak

PocketID

Generic OIDC

User Flow

New Users (Auto-Provisioning)

Existing Users (Account Linking)

Domain Mapping

Login Page Behavior

Security Considerations

Token Storage

Permissions

Credential Encryption

Best Practices

Provider Setup

User Management

High Availability

Troubleshooting

Login Fails with "Invalid Callback"

"User Not Found" After SSO

Token Expired Errors

Can't Connect to Provider

Provider-Specific Guides

Keycloak Setup (Pre-configured Adapter)

Keycloak Setup (Generic Adapter)

Azure AD Setup

Google Workspace

Next Steps