Protect Application Domains With SSO in Dokploy Enterprise

Dokploy Enterprise now includes Application Authentication, a new way to protect application domains with identity-provider login. 

Some applications should not be open to everyone with a URL.

Internal dashboards, admin tools, staging environments, and private services sometimes need an access layer before visitors ever reach the app itself.

With Application Authentication, you can configure an authentication proxy for a server, connect it to an OpenID Connect (OIDC) provider, and require visitors to sign in before they reach a protected application domain.

The feature appears in the product under Settings → SSO → Application Authentication. Its domain-level control enables teams to set up a requirement for visitors to authenticate against their identity provider before accessing an application.

What is Application Authentication?

Application Authentication lets you put SSO in front of an application domain deployed through Dokploy.

Instead of adding login logic to every internal tool or admin service, you can handle access at the platform level. Dokploy deploys an authentication proxy for the server, and then you choose which application domains should require SSO.

The flow is designed around a shared base domain. For example, you might use auth.acme.com as the authentication domain and protect an app running at app.acme.com. Once the proxy is deployed and the callback URL is registered in your identity provider, apps on that server under the same base domain can be protected from the domain settings.

Dokploy Enterprise already supports platform SSO with OIDC and SAML providers, so this is a separate process from logging in to the Dokploy dashboard itself. Application Authentication protects the applications you deploy through Dokploy.

Why this matters

A lot of useful software starts as a private app.

You might deploy:

• A metrics dashboard for your team
• A back-office tool for operations
• A preview build for a client
• A small admin panel that should never be fully public

These apps still need a domain, TLS, deployments, updates, and, crucially, access control.

Application Authentication brings that access control closer to the deployment workflow.

Dokploy handles the authentication layer before traffic reaches the protected domain, so your app can stay focused on the job it was built to do.

For teams running multiple internal tools, this can make private deployments easier to standardize. Configure the authentication proxy once for the server, register the callback URL once in your identity provider, then enable protection on the domains that need it.

How it works

Dokploy Enterprise users can get started in Settings → SSO → Application Authentication.

From there, you set an authentication domain for the server, which is used by the authentication proxy and gives you a callback URL to register with your identity provider.

Next, you deploy the proxy using an OIDC provider. The authentication proxy is configured with the OIDC provider, issuer URL, client credentials, callback URL, and cookie domain.

At the application level, you can open the domain settings and enable SSO Authentication for the domain. When enabled, visitors must log in through your identity provider before they can access the application. When disabled, the domain remains publicly accessible.

A simple setup flow

Here’s the high-level workflow:

1. Add or select an OIDC provider in Dokploy Enterprise.
2. Go to Settings → SSO → Application Authentication.
3. Set an auth domain for the server, such as auth.acme.com.
4. Register the callback URL in your identity provider.
5. Deploy the authentication proxy.
6. Open the application domain settings.
7. Enable SSO Authentication for the domain you want to protect.

Once enabled, the domain is no longer just a public entry point to the app; visitors have to authenticate first.

Requirements before you can enable it

Application Authentication is built for Dokploy Enterprise and requires a valid Enterprise license.

You’ll also need an OIDC provider configured. The authentication proxy currently supports OIDC providers only – SAML is not compatible with this application-level authentication flow.

There are also two domain requirements to keep in mind.

1. The authentication proxy container must be deployed and running on the same server as the app you want to protect
2. The protected application domain needs to share the same base domain as the authentication domain – for example, app.acme.com and auth.acme.com work together because they share acme.com

These requirements help the proxy manage authentication consistently across protected domains on that server.

Application Authentication vs. Platform SSO

Platform SSO controls who can log in to Dokploy. It’s the SSO flow for your Dokploy dashboard, team access, and organization-level authentication.

Application Authentication controls who can reach an application deployed through Dokploy. It’s the SSO flow for the apps you host, such as internal dashboards, private tools, or admin panels.

Both are included in your access management controls, but they solve different problems. Platform SSO protects the control plane. Application Authentication protects the application entry point.

What you can use Application Authentication for

Use Application Authentication to make sure an app is only reachable through a normal domain after login.

Common examples include:

• Internal dashboards
• Admin panels
• Back-office tools
• Preview environments
• Private customer portals
• Team-only applications
• Temporary apps that need quick access control

The feature is especially helpful when you don’t want to modify the application code just to add authentication. You can keep deploying through Dokploy and add SSO protection at the domain level instead.

Bringing access control into the deployment workflow

Dokploy already gives teams a simple way to deploy applications, manage domains, and operate services from one place.

Thanks to Application Authentication, Dokploy Enterprise users have an easier way to ship private applications with the right access layer.

Need help connecting your identity provider or want to learn more about Dokploy Enterprise? Visit the Dokploy Enterprise docs or contact the Dokploy team.