Merge pull request #130 from Dokploy/docs/enterprise

Docs/enterprise

Author: Siumauricio

apps/docs/content/docs/core/enterprise/audit-logs.txt

@@ -0,0 +1,44 @@
+---
+title: Audit logs
+description: Track user actions and changes for compliance and security
+---
+
+## What is logged
+
+Typical events include:
+
+- **Authentication** — Logins, logouts, failed attempts, SSO redirects.
+- **Users and access** — User creation, updates, deletion, role changes, invite/revoke.
+- **Resources** — Creation, update, and deletion of projects, applications, compose stacks, databases, domains, environment variables, and similar resources.
+- **Deployments** — Deploy triggers, rollbacks, and related actions.
+- **Settings** — Changes to organization, security, and whitelabel settings (where applicable).
+
+Each entry usually includes:
+
+- **Timestamp** (UTC)
+- **Actor** (user ID, email, or service account)
+- **Action** (e.g. `user.login`, `application.create`, `compose.deploy`)
+- **Resource** (type and identifier)
+- **Details** (e.g. old/new values or reason, when relevant)
+- **IP address** (when available)
+
+## Accessing audit logs
+
+1. Go to **Settings** → **Audit logs** (or **Organization** → **Audit logs** in Enterprise).
+2. Use filters by date range, user, action type, or resource.
+3. Export results (e.g. CSV or JSON) for external tools or compliance reviews.
+
+## Retention and storage
+
+- Retention period and storage backend (e.g. database, external logging) depend on your Enterprise agreement.
+- Configure retention and any archiving according to your compliance and security policies.
+
+## Compliance
+
+Audit logs help support:
+
+- **SOC 2** — Evidence of access control and change management.
+- **GDPR** — Documentation of access to and changes in personal data and configurations.
+- **Internal policies** — Review of who changed what and when.
+
+For retention, export formats, or integration with your SIEM or log pipeline, [contact us](https://dokploy.com/contact).

apps/docs/content/docs/core/enterprise/index.mdx

@@ -0,0 +1,21 @@
+---
+title: Introduction
+description: Enterprise features for SSO, whitelabeling, and audit logs
+---
+
+
+## What's included
+
+- **Single Sign-On (SSO)** — Integrate with Auth0, Keycloak, or other OIDC/SAML providers.
+{/* - **Whitelabeling** — Rebrand the UI with your logo, colors, and domain (self-hosted only) (). */}
+{/* - **Audit logs** — Track user actions and changes for compliance and security. */}
+
+More Enterprise features are on the way. [Contact us](https://dokploy.com/contact) if you want early access or have specific requirements.
+
+## Contact us
+
+For pricing and to enable Enterprise features on your instance, get in touch with our team:
+
+**[Contact us →](https://dokploy.com/contact)**
+
+We'll help you configure SSO, whitelabeling, and audit logs for your organization.

apps/docs/content/docs/core/enterprise/license-keys.mdx

@@ -0,0 +1,23 @@
+---
+title: License Keys
+description: Activate and manage your Enterprise license
+---
+
+To use Enterprise features (SSO, whitelabeling, audit logs, and more), you need a valid license issued by the Dokploy team.
+
+By default, all Dokploy instances run in the standard edition. If you are interested in switching to the Enterprise version, [contact us](https://dokploy.com/contact). Once you receive your license key, you can activate it in your instance.
+
+## Activating your license
+
+1. Go to **Settings** → **License** (or **Organization** → **License** in Enterprise).
+2. Enter your license key and click **Activate**.
+
+Your instance will then have access to Enterprise features for the duration of the license.
+
+## How validation works
+
+- The license is validated **every day** against our servers to verify that it is still valid.
+- The **only data** used for validation is the **IP address** of your server. We check it against our license server to confirm that the key is valid and active for that server.
+- No other data is sent or stored for license validation.
+
+If your server’s IP changes, or you have questions about your license, [contact us](https://dokploy.com/contact).

apps/docs/content/docs/core/enterprise/sso/auth0.mdx

@@ -0,0 +1,107 @@
+---
+title: Auth0
+description: Configure SSO with Auth0 (OIDC or SAML)
+---
+
+<Tabs items={['SSO (OIDC)', 'SAML']}>
+<Tab value="SSO (OIDC)">
+
+## 1. Create an application in Auth0
+
+1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/).
+2. Go to **Applications** → **Applications** → **Create Application**.
+3. Choose **Regular Web Application** and create it.
+4. Note your **Domain**, **Client ID**, and **Client Secret**.
+
+## 2. Configure Dokploy
+
+1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise).
+2. Enable **SSO** and choose **OpenID Connect**.
+3. Enter:
+   - **Provider**: myorg-name-auth0 (Unique)
+   - **Issuer URL**: `https://YOUR_AUTH0_DOMAIN/` (Make sure add the trailing slash)
+   - **Domain**: the domain users use to authenticate via Auth0 (e.g. your organization domain like `acme.com`), not the Dokploy instance URL
+   - **Client ID**: from Auth0 application
+   - **Client Secret**: from Auth0 application
+   - **Scopes**: openid email profile
+4. Save.
+
+## 3. Configure Auth0
+
+1. In your application, go to **Settings**.
+2. Set **Allowed Callback URLs** to your Dokploy URL, for example:
+   - `https://your-dokploy-domain.com/api/auth/callback/myorg-name-auth0`
+3. Set **Allowed Logout URLs** to:
+   - `https://your-dokploy-domain.com`
+4. Set **Allowed Origins** to:
+   - `https://your-dokploy-domain.com`
+5. Save changes.
+
+## Troubleshooting (OIDC)
+
+- **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Auth0 (including protocol and path).
+- **Invalid client** — Double-check Client ID and Client Secret, and that the application is a web application.
+- **Scopes** — Ensure Auth0 is configured to return `openid` and, if required, `email` and `profile`.
+
+</Tab>
+<Tab value="SAML">
+
+## 1. Create a SAML application in Auth0
+
+1. Log in to the [Auth0 Dashboard](https://manage.auth0.com/).
+2. Go to **Applications** → **Applications** → **Create Application**.
+3. Choose **Regular Web Application** and create it.
+4. In the application, go to **Add Ons** → enable **SAML 2 Web App** and configure it, in the settings specify this callback URL: `https://your-dokploy-domain.com/api/auth/sso/saml2/callback/myorg-name-auth0-saml`.
+5. Next & Save.
+
+## 2. Configure Dokploy
+
+1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise).
+2. Enable **SSO** and choose **SAML**.
+3. Enter:
+   - **Provider**: myorg-name-auth0-saml (unique name for this provider)
+   - **Issuer URL**: the Auth0 SAML Entity ID / Issuer located in `Add Ons` tab called `SAML 2 Web App` called `Entity ID` (e.g. `urn:auth0:your-tenant:your-app`)
+   - **SSO URL**: the Auth0 SAML Single Sign-On URL located in `Add Ons` tab called `SAML 2 Web App` called `Single Sign-On URL` (e.g. `https://dev-ladsadb.us.auth0.com/samlp/wgJe9bWmwhVnuAC7eNtyUsiou4b6wxuf`)
+   - **Certificate**: download the certificate active (x509) from the `Add Ons` tab called `SAML 2 Web App` called `Identity Provider Certificate` and paste it in the `Certificate` field.
+   - **Federation Metadata XML**: copy the Identity Provider Metadata XML from the certificate active and paste it in the `Metadata XML` field.
+   - **Domain**: the domain users use to authenticate via Auth0 (e.g. your organization domain like `acme.com`), not the Dokploy instance URL
+4. Save.
+
+## 3. Configure Auth0 (SAML)
+
+1. In your Auth0 SAML application, set the **Application Callback URL** (ACS URL) to your Dokploy SAML ACS URL, for example:
+   - `https://your-dokploy-domain.com/api/auth/sso/saml2/callback/myorg-name-auth0-saml`
+2. In the **SAML 2 Web App** add-on, open **Settings** and paste the following JSON in the **Settings** (Application Settings) field. Replace `https://your-dokploy-domain.com` with your Dokploy base URL and `myorg-name-auth0-saml` with the **exact same provider name** you entered in Dokploy in step 2 (the callback URL path must match), so Dokploy can read email, display name, and other attributes:
+
+```json
+{
+  "audience": "https://your-dokploy-domain.com/saml/metadata",
+  "recipient": "https://your-dokploy-domain.com/api/auth/sso/saml2/callback/myorg-name-auth0-saml",
+  "destination": "https://your-dokploy-domain.com/api/auth/sso/saml2/callback/myorg-name-auth0-saml",
+  "signResponse": true,
+  "signAssertion": true,
+  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+  "nameIdentifierProbes": [
+    "email"
+  ],
+  "mappings": {
+    "email": "email",
+    "displayName": "name",
+    "givenName": "given_name",
+    "surname": "family_name"
+  }
+}
+```
+
+4. Save.
+
+## Troubleshooting (SAML)
+
+- **ACS URL mismatch** — Ensure the callback/ACS URL in Auth0 matches exactly what Dokploy provides (including protocol and path).
+- **Certificate** — Use the full x509 certificate from Auth0 (PEM format); ensure no extra spaces or line breaks.
+- **Entity ID** — The Entity ID in Dokploy must match the Issuer/Entity ID configured in Auth0.
+
+</Tab>
+</Tabs>
+
+For help with your setup, [contact us](https://dokploy.com/contact).

apps/docs/content/docs/core/enterprise/sso/azure.mdx

@@ -0,0 +1,88 @@
+---
+title: Azure AD (Microsoft Entra ID)
+description: Configure SSO with Azure AD / Microsoft Entra ID (OIDC or SAML)
+---
+
+<Tabs items={['SSO (OIDC)', 'SAML']}>
+<Tab value="SSO (OIDC)">
+
+## 1. Register an application in Azure
+
+1. Log in to the [Azure Portal](https://portal.azure.com/).
+2. Go to **Microsoft Entra ID** (or **Azure Active Directory**) → **App registrations** → **New registration**.
+3. Enter a **Name** (e.g. Dokploy), choose supported account types, and set **Redirect URI** to **Web** with a placeholder for now (e.g. `https://your-dokploy-domain.com/api/auth/callback/myorg-name-azure`).
+4. Register and note the **Application (client) ID** and **Directory (tenant) ID**.
+5. Go to **Certificates & secrets** → **New client secret**, create a secret and note its **Value** (you won’t see it again).
+6. The **Issuer URL** for OpenID Connect is: `https://login.microsoftonline.com/{tenant-id}/v2.0` (replace `{tenant-id}` with your Directory (tenant) ID). Some setups expect a trailing slash.
+
+## 2. Configure Dokploy
+
+1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise).
+2. Enable **SSO** and choose **OpenID Connect**.
+3. Enter:
+   - **Provider**: myorg-name-azure (unique name for this provider)
+   - **Issuer URL**: `https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0` (use your Directory (tenant) ID; add a trailing slash if required for discovery)
+   - **Domain**: the domain users use to authenticate via Azure AD (e.g. your organization domain like `acme.com`), not the Dokploy instance URL
+   - **Client ID**: the Application (client) ID from Azure
+   - **Client Secret**: the client secret value from Certificates & secrets
+   - **Scopes**: openid email profile
+4. Save.
+
+## 3. Configure Azure
+
+1. In your app registration, go to **Authentication**.
+2. Under **Web** → **Redirect URIs**, add:
+   - `https://your-dokploy-domain.com/api/auth/callback/myorg-name-azure`
+3. Under **Front-channel logout URL** (optional), you can set:
+   - `https://your-dokploy-domain.com`
+4. Go to **Token Configuration** and add optional claim, select **email**, **preferred_username** and **upn** from the list of claims.
+5. Save.
+
+## Troubleshooting (OIDC)
+
+- **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Azure (including protocol and path). Use the same **Provider** value in the path (e.g. `.../api/auth/callback/myorg-name-azure`).
+- **Invalid client** — Double-check Application (client) ID and client secret. Confirm the secret has not expired under **Certificates & secrets**.
+- **Tenant** — Use the correct Directory (tenant) ID in the Issuer URL. For multi-tenant apps, you may use `common` instead of the tenant ID (e.g. `https://login.microsoftonline.com/common/v2.0`).
+- **Scopes** — Ensure the app registration has the right API permissions (e.g. **OpenID permissions**, **User.Read**) if required for `openid`, `email`, and `profile`.
+
+</Tab>
+<Tab value="SAML">
+
+## 1. Create an Enterprise Application (SAML) in Azure
+
+1. Log in to the [Azure Portal](https://portal.azure.com/).
+2. Go to **Microsoft Entra ID** → **Enterprise applications** → **New application** → **Create your own application** (or **Non-gallery application**).
+3. Enter a **Name** (e.g. Dokploy) and create.
+4. Go to **Single sign-on** → **SAML**.
+5. Note the **Identifier (Entity ID)** and **Login URL** (SSO URL). Under **SAML Certificates**, download or copy the **Certificate (Base64)** (x509) and download the **Federation Metadata XML** file.
+
+## 2. Configure Dokploy
+
+1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise).
+2. Enable **SSO** and choose **SAML**.
+3. Enter:
+   - **Provider**: myorg-name-azure-saml (unique name for this provider)
+   - **Issuer URL**: the Azure SAML Entity ID (Identifier) from the Enterprise application (eg. `https://sts.windows.net/YOUR_TENANT_ID/`).
+   - **SSO URL**: the Azure Login URL (Single Sign-On URL) (eg. `https://login.microsoftonline.com/YOUR_TENANT_ID/saml2`)
+   - **Certificate**: the IdP signing certificate (x509 Base64) from Azure
+   - **Federation Metadata XML**: the Federation Metadata XML file from Azure
+   - **Domain**: the domain users use to authenticate via Azure AD (e.g. your organization domain like `acme.com`), not the Dokploy instance URL
+4. Save.
+
+## 3. Configure Azure (SAML)
+
+1. In your Enterprise application, go to **Single sign-on** → **SAML**.
+2. Under **Basic SAML Configuration**, set **Identifier (Entity ID)** if required (SP Entity ID from Dokploy) (eg. `https://your-dokploy-instance.com`).
+3. Set **Reply URL (Assertion Consumer Service URL)** to your Dokploy SAML ACS URL (eg. `https://your-dokploy-instance.com/api/auth/sso/saml2/callback/myorg-name-azure-saml`).
+3. Save.
+
+## Troubleshooting (SAML)
+
+- **ACS URL mismatch** — Ensure the Reply URL (ACS) in Azure matches exactly what Dokploy provides (including protocol and path).
+- **Certificate** — Use the Certificate (Base64) from Azure; paste as-is or convert to PEM if Dokploy expects PEM.
+- **Entity ID** — The Entity ID in Dokploy must match the Identifier (Entity ID) of the Azure Enterprise application.
+
+</Tab>
+</Tabs>
+
+For help with your setup, [contact us](https://dokploy.com/contact).

apps/docs/content/docs/core/enterprise/sso/index.mdx

@@ -0,0 +1,17 @@
+---
+title: Single Sign-On (SSO)
+description: Configure SSO with Auth0, Keycloak, or other OIDC/SAML providers
+---
+
+Enterprise supports Single Sign-On via OpenID Connect (OIDC) and SAML. You can use Auth0, Keycloak, or any compatible identity provider.
+
+Choose a provider below for step-by-step configuration:
+
+- **[Auth0](/docs/core/enterprise/sso/auth0)** — Cloud identity platform
+- **[Azure AD (Microsoft Entra ID)](/docs/core/enterprise/sso/azure)** — Microsoft's cloud identity platform
+- **[Okta](/docs/core/enterprise/sso/okta)** — Cloud identity platform
+- **[Keycloak](/docs/core/enterprise/sso/keycloak)** — Open-source identity and access management
+
+You can also use any other OIDC/SAML provider by configuring the endpoints and flow manually.
+
+For other OIDC/SAML providers, use the same endpoints and flow; [contact us](https://dokploy.com/contact) if you need help.

apps/docs/content/docs/core/enterprise/sso/keycloak.mdx

@@ -0,0 +1,48 @@
+---
+title: Keycloak
+description: Configure SSO with Keycloak
+---
+
+## 1. Create a client in Keycloak
+
+1. Log in to your Keycloak Admin Console.
+2. Select your realm (or create one).
+3. Go to **Clients** → **Create client**.
+4. Set **Client ID** (e.g. `my-client-id`) and **Client type** to **OpenID Connect**.
+5. Set **Root URL** to your Dokploy base URL, e.g. `https://your-dokploy-domain.com`.
+6. Save.
+7. Open the client, set **Access type** to **confidential**, then open the **Credentials** tab and note the **Secret**.
+8. From **Realm settings** → **OpenID Endpoint Configuration**, note the **Issuer** (e.g. `https://keycloak.example.com/realms/your-realm`).
+
+## 2. Configure Dokploy
+
+1. In Dokploy, go to **Settings** (or **Organization** / **Security** in Enterprise).
+2. Enable **SSO** and choose **OpenID Connect**.
+3. Enter:
+   - **Provider**: my-client-id (Unique)
+   - **Issuer URL**: your Keycloak realm URL (e.g. `https://keycloak.example.com/realms/your-realm`)
+   - **Domain**: the domain users use to authenticate via Keycloak (e.g. your organization domain like `acme.com`), not the Dokploy instance URL
+   - **Client ID**: my-client-id
+   - **Client Secret**: the secret from the Keycloak client Credentials tab
+   - **Scopes**: openid email profile
+4. Save.
+
+## 3. Configure Keycloak
+
+1. In your Keycloak client, go to **Settings**.
+2. Set **Valid redirect URIs** to your Dokploy callback URL, for example:
+   - `https://your-dokploy-domain.com/api/auth/callback/my-client-id`
+3. Set **Valid post logout redirect URIs** to:
+   - `https://your-dokploy-domain.com`
+4. Set **Allowed Origins** to:
+   - `https://your-dokploy-domain.com`
+5. Save changes.
+
+## Troubleshooting
+
+- **Redirect URI mismatch** — Ensure the callback URL in Dokploy matches exactly what is configured in Keycloak (including protocol and path). Use the same **Provider** value in the path (e.g. `.../api/auth/callback/myorg-name-keycloak`).
+- **Invalid client** — Double-check Client ID and Client Secret, and that the client is enabled and set to confidential access.
+- **Scopes** — Ensure the client is configured to request `openid` and, if required, `email` and `profile`.
+- **Attribute mapping** — If user email or name is missing, map Keycloak attributes (e.g. email, preferred_username) in Dokploy if your setup supports it.
+
+For help with your setup, [contact us](https://dokploy.com/contact).

apps/docs/content/docs/core/enterprise/sso/meta.json

@@ -0,0 +1,9 @@
+{
+	"title": "SSO",
+	"pages": [
+		"auth0",
+		"azure",
+		"keycloak",
+		"okta"
+	]
+}