SSO / OIDC¶
TaskWolf supports any OIDC-compliant identity provider (Keycloak, Okta, Azure AD, Auth0, Google Workspace).
Register a Provider¶
- In your IdP, create an OIDC application (Authorization Code flow)
- Set the redirect URI to:
https://<your-domain>/login/oauth2/code/<provider-id> - Note the Issuer URL, Client ID, and Client Secret
Then in TaskWolf:
- Log in as System Admin
- Go to Admin → SSO
- Click Add Provider
- Fill in: Name, Issuer URL, Client ID, Client Secret
- Save — the provider appears on the login page immediately
Auto-Provisioning¶
When Auto-Provision is enabled (default), users logging in via SSO for the first time are automatically created with the MEMBER system role.
Disable auto-provisioning if you want to manually create accounts before allowing SSO login.
Discovery¶
TaskWolf fetches provider metadata from {issuerUrl}/.well-known/openid-configuration at login time. No manual endpoint configuration is required.
Removing a Provider¶
Delete the provider from Admin → SSO. Existing user accounts are not affected.