Dekart

Enable SSO

Use this page as the starting point for enabling SSO in a self-hosted Dekart instance.

Premium users have SSO enabled by default.
View Plans

Add license key first

  • SSO requires a valid license key in your runtime config.
  • No license key yet? Request one here: request SSO license key

Set:

DEKART_LICENSE_KEY=<your-license-key>

If you run with Docker Compose:

services:
  dekart:
    environment:
      - DEKART_LICENSE_KEY=${DEKART_LICENSE_KEY}

Without a license key, SSO/auth config will fail on startup.

Choose your SSO configuration

After DEKART_LICENSE_KEY is set, choose the first configuration in this priority order that matches your environment.

User authorization via Google OAuth 2.0 flow

Use this when users sign in directly with Google OAuth and you want Google user credentials flow.

Google OAuth 2.0 configuration

User authorization via Google IAP

Use this when Dekart is behind Google IAP and you want to trust IAP signed headers.

Google IAP configuration

User authorization via Amazon Load Balancer

Use this when ALB/Cognito (or ALB-authenticated flow) forwards auth headers to Dekart.

Amazon Load Balancer configuration Amazon Load Balancer Terraform example

User authorization via OIDC JWT header (reverse proxy)

Use this when a trusted reverse proxy (for example oauth2-proxy + Keycloak) authenticates users and forwards JWT to Dekart.

OIDC JWT header configuration Keycloak + Postgres + OIDC Setup

Validate

Before inviting users, verify:

  • DEKART_LICENSE_KEY is present in the running instance.
  • Your OIDC/JWKS/issuer/audience values match your IdP.
  • Login flow reaches your IdP and returns to Dekart.
  • Users can access shared/team features after login.

Edit this page on GitHub

← Amazon ECS
GIS Analytics Cost Comparison →