| description | This page describes how to set up SSO with the Duplicati Console, using Okta as an example |
|---|
For this guide we will be looking at setting up an application and also possibly configuring an access policy for the authorization server in Okta. While this guide is using Okta as an example, other OIDC or SAML2 providers, including Azure, can be used as well.
{% hint style="info" %} SSO is an additional Enterprise feature. Contact Duplicati sales or support if you need SSO enabled for your license or trial {% endhint %}
- Sign in to your Okta account.
- Navigate to the Admin page.
- In the left menu, select Applications.
{% hint style="info" %} Ensure you have an Okta account available with super admin rights. {% endhint %}
In the daiglog for creating the application, choose these two options:
- Sign-in method:
OIDC - OpenID Connect - Application type:
Web Application
Then click Next.
- Choose a suitable application name, such as Duplicati.
- Note that Sign-in redirect URIs must be provided later — leave it at default for now.
- Set controlled access, preferably limiting access to selected groups for better control.
- Go to Security → API.
- Here you can:
- Retrieve the Metadata URI needed for SSO configuration in Duplicati.
- Verify existing access policies.
If no access policies are present, or you want another one:
- Click Add New Access Policy.
- Configure it to match your security requirements.
- In the Duplicati Console, go to the Settings page.
- Click the SSO tab.
- The bold SSO name (example shown as “SSO Demo”) is case-sensitive and is required later at login.
- Click New SSO Configuration and choose Add OIDC.
{% hint style="info" %} If the SSO tab is not visible, SSO may not be enabled for your organization; contact Duplicati sales or support. {% endhint %}
To configure OIDC, fill in values from the Okta application.
- Name: Used to identify the login method for users. A suggested name is Okta.
- Notes: Free text, only used in this dialog.
- Default security group:
New users must be assigned to a group to join the organization.
Select the standard owner group created with the organization.
{% hint style="info" %} The default group affects only users who have not yet logged in to Duplicati Console. It will not change the group(s) of existing users. {% endhint %}
.png)
- In Okta, open your application page.
- Copy:
- Client Id
- Client secret
- Paste both into the Duplicati Console OIDC dialog.
- In Okta, go to Security → API → Settings.
- Copy the Metadata URI and paste into the metadata address field in Duplicati.
If Metadata URI is not shown (some Okta plans):
Use your Okta domain (from the Okta URL or Issuer field) in:
https://{yourOktaDomain}/.well-known/openid-configuration
Your configuration should look similar to the example shown in the guide once the fields are filled.
When creating the Okta app earlier, the redirect URI was left at default because it wasn’t available yet. Now we will update it.
- In Duplicati Console, open the SSO configuration list.
- For the relevant SSO configuration, open the action menu.
- Click the copy button to copy the redirect URI.
- In Okta, open your application front page.
- Scroll to General Settings.
- Click Edit.
- Paste the redirect URI into Sign-in redirect URIs.
- Click Save.
Once configured, you can log in with Okta.
- In Duplicati Console, go to your Account page.
- Click Add login account.
- Choose the new Okta integration.
This allows your current account to be accessed with either login method.
- Log out of Duplicati Console.
- On the login screen, choose Sign in with SSO.
- Enter your organization’s SSO name (case-sensitive).
- The name appears on the SSO configuration page.
- If not, obtain it from Duplicati Inc.
- After entering a valid name, you’ll see available login options.
- Typically there is one option, but multiple can be configured.
- Click the login button to be redirected to Okta and complete sign-in.
.png)
.png)