supports single sign-on (SSO) authentication through a reverse proxy configuration, where the proxy provides user identity verification via HTTP headers. The setup requires proper configuration of authentication methods and header names, with critical security considerations around preventing direct server access and ensuring the proxy correctly manages user identity headers.

One way to accomplish single sign-on (SSO) in is by using a reverse proxy in front of . If that proxy has a way of knowing a proper username, user email, or other unique user identifier, you can let the proxy decide what username the user gets access as inside .

Configure the proxy using the AUTHENTICATION_METHOD and AUTH_BY_PROXY_HEADER_NAME environment variables.

AUTHENTICATION_METHOD=byproxy
AUTH_BY_PROXY_HEADER_NAME=name-of-http-header

The proxy must add a header with the username of the end user in the specified header. If the proxy leaves the header blank, the user does not get authenticated, and can only access shared dashboards.

uses the Authentication header as transport from the browser to the backend. Therefore, it is not possible to use a proxy that also uses this header. This rules out using https://github.com/bitly/oauth2_proxy.