LDAP & OIDC Authentication
ProxCenter supports external authentication via LDAP/Active Directory and OIDC (OpenID Connect) providers. This lets your team log in with their existing corporate credentials instead of managing separate ProxCenter accounts.
Overview
By default, ProxCenter uses local authentication (email and password). When you configure an external identity provider, users can authenticate through that provider and are automatically provisioned in ProxCenter on first login.
You can use LDAP, OIDC, or both simultaneously. Local authentication remains available as a fallback.
LDAP / Active Directory
Configuration
Navigate to Settings > Authentication and select the LDAP tab.
| Field | Description |
|---|---|
| Server URL | LDAP server address (e.g., ldap://dc.example.com or ldaps://dc.example.com) |
| Bind DN | Distinguished name for the service account used to search (e.g., cn=proxcenter,ou=services,dc=example,dc=com) |
| Bind Password | Password for the bind DN |
| Base DN | The search base for users (e.g., ou=users,dc=example,dc=com) |
| User Filter | LDAP filter to match user accounts (e.g., (sAMAccountName={{username}})) |
| Email Attribute | Attribute containing the user's email (default: mail) |
| Display Name Attribute | Attribute for the user's display name (default: displayName) |
| Group Base DN | Optional base DN for group lookups |
| Use TLS | Enable STARTTLS or LDAPS |
Group Mapping
You can map LDAP groups to ProxCenter roles. For example, map CN=Proxmox-Admins,OU=Groups,DC=example,DC=com to the admin role in ProxCenter. Users who belong to that LDAP group are automatically assigned the corresponding role on login.
Test your LDAP configuration using the Test Connection button before saving. It verifies the bind credentials and attempts a user search with the configured filter.
OIDC / SSO
Configuration
Navigate to Settings > Authentication and select the OIDC tab.
| Field | Description |
|---|---|
| Provider Name | Display name shown on the login button (e.g., "Sign in with Okta") |
| Issuer URL | The OIDC provider's issuer URL (e.g., https://accounts.google.com) |
| Client ID | The OAuth 2.0 client ID registered with your provider |
| Client Secret | The OAuth 2.0 client secret |
| Scopes | Requested scopes (default: openid profile email) |
| Redirect URI | ProxCenter's callback URL -- shown in the settings, register this in your OIDC provider |
Supported Providers
Any OIDC-compliant provider works. Commonly used with:
- Microsoft Entra ID (Azure AD) -- For Microsoft 365 organizations
- Google Workspace -- For Google-based organizations
- Okta -- Enterprise identity management
- Keycloak -- Self-hosted identity provider
- Authentik -- Open-source identity provider popular with homelab users
User Provisioning
When a user logs in via OIDC for the first time, ProxCenter automatically creates a local account linked to their OIDC identity. The user's email and display name are populated from the OIDC claims.
Subsequent logins match on the email address claim. If the user already has a local account with the same email, the accounts are linked.
Ensure that email addresses returned by your OIDC provider are verified. An attacker who can control their OIDC email claim could potentially link to an existing ProxCenter account.
LDAP/Active Directory and OIDC authentication are available in the Enterprise edition.
Permissions
| Permission | Description |
|---|---|
settings.manage | Required to configure LDAP and OIDC settings |