Single Sign-On

Single Sign-On is a DefectDojo Pro feature. As of DefectDojo 2.59, the SSO surface — SAML, OIDC, and the bundled OAuth providers — is available only in DefectDojo Pro. Open-source DefectDojo uses local username/password login and the password-reset flow.

If you’re running open-source DefectDojo and want SSO, you’ll need to switch to DefectDojo Pro; the migration is covered in the 2.59 upgrade notes. Existing user accounts and group memberships are preserved on upgrade. For access control on open-source DefectDojo, see the Authorized Users page.

Supported SSO providers (DefectDojo Pro)

DefectDojo Pro supports SAML and the following OAuth providers. Each guide walks through the provider-side setup and the corresponding configuration in the Pro Enterprise Settings UI.

• Auth0
• Azure Active Directory
• GitHub Enterprise
• GitLab
• Google
• KeyCloak
• Okta
• OIDC (OpenID Connect)
• SAML

SSO configuration in DefectDojo Pro can only be performed by a Superuser.

DefectDojo Pro users: Add the IP addresses of your SAML or SSO services to the Firewall whitelist before setting up SSO. See Firewall Rules for more information.

Disabling Username / Password login

Once SSO is configured in DefectDojo Pro, you may want to disable the traditional username/password login form. Uncheck Allow Login via Username and Password under Enterprise Settings > Login Settings.

Login fallback

If your SSO integration stops working, you can always return to the standard login form by appending the following to your DefectDojo URL:

/login?force_login_form

We recommend keeping at least one admin account with a username and password configured as a fallback.