LDAP & OIDC Authentication
ProxCenter supports external authentication via LDAP/Active Directory and OIDC (OpenID Connect) providers. This lets your team log in with their existing corporate credentials instead of managing separate ProxCenter accounts.
Overview
By default, ProxCenter uses local authentication (email and password). When you configure an external identity provider, users can authenticate through that provider and are automatically provisioned in ProxCenter on first login.
You can use LDAP, OIDC, or both simultaneously. Local authentication remains available as a fallback.
LDAP / Active Directory
Configuration
Navigate to Settings > Authentication and select the LDAP tab.
| Field | Description |
|---|---|
| Server URL | LDAP server address (e.g., ldap://dc.example.com or ldaps://dc.example.com) |
| Bind DN | Distinguished name for the service account used to search (e.g., cn=proxcenter,ou=services,dc=example,dc=com) |
| Bind Password | Password for the bind DN |
| Base DN | The search base for users (e.g., ou=users,dc=example,dc=com) |
| User Filter | LDAP filter to match user accounts (e.g., (sAMAccountName={{username}})) |
| Email Attribute | Attribute containing the user's email (default: mail) |
| Display Name Attribute | Attribute for the user's display name (default: displayName) |
| Group Base DN | Optional base DN for group lookups |
| Use TLS | Enable STARTTLS or LDAPS |
Group Mapping
You can map LDAP groups to ProxCenter roles. For example, map CN=Proxmox-Admins,OU=Groups,DC=example,DC=com to the admin role in ProxCenter. Users who belong to that LDAP group are automatically assigned the corresponding role on login.
Test your LDAP configuration using the Test Connection button before saving. It verifies the bind credentials and attempts a user search with the configured filter.
OIDC / SSO
The Redirect URI shown on the OIDC settings page is built from the NEXTAUTH_URL environment variable set at install time. If ProxCenter is behind a reverse proxy, make sure NEXTAUTH_URL matches your public FQDN before registering the application with your identity provider, otherwise the provider will receive ProxCenter's internal IP as the callback and the login flow will fail. See Reverse Proxy and Public URL for the procedure.
Configuration
Navigate to Settings > Authentication and select the OIDC tab.
| Field | Description |
|---|---|
| Provider Name | Display name shown on the login button (e.g., "Sign in with Okta") |
| Issuer URL | The OIDC provider's issuer URL (e.g., https://accounts.google.com) |
| Client ID | The OAuth 2.0 client ID registered with your provider |
| Client Secret | The OAuth 2.0 client secret |
| Scopes | Requested scopes (default: openid profile email) |
| Advanced Endpoints (Authorization / Token / Userinfo URL) | Optional manual overrides, found under the collapsed Advanced Endpoints section. Leave blank for any provider that publishes .well-known/openid-configuration, which is the case for every major identity provider (Entra ID, Google, Okta, Duo, Keycloak, Authentik). Fill these in only if your provider does not expose discovery, in which case all three must be set explicitly. |
| Redirect URI | ProxCenter's callback URL, derived from NEXTAUTH_URL. Copy the value shown in the settings page and register it as-is in your OIDC provider. It must match exactly: scheme, host, port, no trailing slash mismatch. |
Supported Providers
Any OIDC-compliant provider works. Commonly used with:
- Microsoft Entra ID (Azure AD) -- For Microsoft 365 organizations
- Google Workspace -- For Google-based organizations
- Okta -- Enterprise identity management
- Duo Single Sign-On -- See the dedicated SSO with Duo walkthrough
- Keycloak -- Self-hosted identity provider
- Authentik -- Open-source identity provider popular with homelab users
User Provisioning
When a user logs in via OIDC for the first time, ProxCenter automatically creates a local account linked to their OIDC identity. The user's email and display name are populated from the OIDC claims.
Subsequent logins match on the email address claim. If the user already has a local account with the same email, the accounts are linked.
Ensure that email addresses returned by your OIDC provider are verified. An attacker who can control their OIDC email claim could potentially link to an existing ProxCenter account.
ProxCenter does not add a second factor on top of OIDC sign-ins. MFA is the responsibility of the identity provider (Entra ID Conditional Access, Okta MFA, Authentik flows, Duo, Keycloak, etc.). For local and LDAP accounts ProxCenter offers a built-in TOTP flow, see Two-Factor Authentication.
LDAP/Active Directory and OIDC authentication are available in the Enterprise edition.
Permissions
| Permission | Description |
|---|---|
settings.manage | Required to configure LDAP and OIDC settings |