mirror of
https://github.com/Dokploy/website.git
synced 2026-07-14 10:25:24 +02:00
docs: update concurrency and SCIM provisioning details in documentation
- Revised the "Concurrent Builds" section to clarify that open-source users can configure concurrency between 1 and 100 without a license. - Updated the "Differences" table to reflect that concurrent builds are configurable in all self-hosted editions. - Added a new section for SCIM provisioning, detailing its functionality and configuration for user lifecycle management. - Adjusted descriptions across various documents to include SCIM provisioning and its integration with SSO.
This commit is contained in:
@@ -21,16 +21,13 @@ This means increasing concurrency lets **different** applications on the same se
|
||||
|
||||
By default, every server, the Dokploy server and any remote server, has a concurrency of **1**. This means builds on that server run one at a time.
|
||||
|
||||
## Limits by Plan
|
||||
## Limits
|
||||
|
||||
<Callout type="info">
|
||||
Concurrent builds are a self-hosted feature and are configured per server. They are not available on Dokploy Cloud.
|
||||
Concurrent builds are a self-hosted feature and are configured per server. They are not available on Dokploy Cloud, where build scheduling is managed by the platform.
|
||||
</Callout>
|
||||
|
||||
- **OSS (free)**: You can increase concurrency up to a maximum of **2** per server.
|
||||
- **Enterprise**: With a valid enterprise license, concurrency is **unlimited** and can be set to any value per server.
|
||||
|
||||
If you set a value higher than 2 without a valid enterprise license, Dokploy will reject the change until a valid license is applied. If a license expires, concurrency is automatically clamped back down to the OSS limits so deployments keep working without breaking anything.
|
||||
Concurrent builds are fully available in the open-source version — no license required. You can set each server's concurrency to any value between **1** and **100**.
|
||||
|
||||
## Configuring Concurrency
|
||||
|
||||
|
||||
@@ -21,23 +21,24 @@ Dokploy comes in four editions: **Self-Hosted (OSS)**, **Cloud**, **Enterprise S
|
||||
| **Basic roles** (Owner, Admin, Member) | ✅ | ✅ | ✅ | ✅ |
|
||||
| **Custom roles** (granular permissions) | ❌ | Plan-dependent | ✅ | ✅ |
|
||||
| **SSO (OIDC / SAML)** | ❌ | ❌ | ✅ | ✅ |
|
||||
| **SCIM provisioning** (automated user lifecycle) | ❌ | ❌ | ✅ | ✅ |
|
||||
| **Application Authentication** (SSO gate for your apps) | ❌ | ❌ | ✅ | ✅ |
|
||||
| **Audit logs** | ❌ | ❌ | ✅ | ✅ |
|
||||
| **Whitelabeling** | ❌ | ❌ | ✅ | ❌ |
|
||||
| **Concurrent builds per server** | Up to 2 | Managed | Unlimited | Managed |
|
||||
| **Concurrent builds per server** | ✅ Configurable | Managed | ✅ Configurable | Managed |
|
||||
| **Advanced monitoring dashboard** | Basic monitoring | ✅ | Basic monitoring | ✅ |
|
||||
| **Support** | Community (Discord) | Email & Chat | Priority | Priority with SLA |
|
||||
|
||||
<Callout type="info">
|
||||
The core deployment experience is identical in every edition — the differences are in team/enterprise capabilities (SSO, custom roles, audit logs, whitelabeling), build concurrency, and who operates the control plane.
|
||||
The core deployment experience is identical in every edition — the differences are in team/enterprise capabilities (SSO, SCIM provisioning, custom roles, audit logs, whitelabeling) and who operates the control plane. [Concurrent builds](/docs/core/concurrent-builds) are included in every self-hosted edition, no license required.
|
||||
</Callout>
|
||||
|
||||
## Enterprise: Cloud vs Self-Hosted
|
||||
|
||||
There are **two ways to get Enterprise**, and they are not the same thing:
|
||||
|
||||
- **Enterprise Self-Hosted** — you run your own Dokploy instance and activate a [license key](/docs/core/enterprise/license-keys) issued by the Dokploy team. You keep full control of your infrastructure (including air-gapped setups) and unlock SSO, custom roles, audit logs, [Application Authentication](/docs/core/enterprise/sso/application-authentication), **whitelabeling**, and **unlimited concurrent builds** per server.
|
||||
- **Enterprise Cloud** — the Dokploy team manages the control plane for you with a custom plan. You get the same enterprise capabilities (SSO, custom roles, audit logs, Application Authentication) plus managed uptime, automatic updates, and priority support with SLA.
|
||||
- **Enterprise Self-Hosted** — you run your own Dokploy instance and activate a [license key](/docs/core/enterprise/license-keys) issued by the Dokploy team. You keep full control of your infrastructure (including air-gapped setups) and unlock SSO, [SCIM provisioning](/docs/core/enterprise/scim), custom roles, audit logs, [Application Authentication](/docs/core/enterprise/sso/application-authentication), and **whitelabeling**.
|
||||
- **Enterprise Cloud** — the Dokploy team manages the control plane for you with a custom plan. You get the same enterprise capabilities (SSO, SCIM provisioning, custom roles, audit logs, Application Authentication) plus managed uptime, automatic updates, and priority support with SLA.
|
||||
|
||||
<Callout type="info">
|
||||
Both Enterprise flavors include **all upcoming Enterprise features**: every new Enterprise capability we release is automatically part of your license or plan, at no extra cost.
|
||||
@@ -50,7 +51,6 @@ Key differences between the two Enterprise flavors:
|
||||
| **Activation** | License key on your instance | Cloud subscription |
|
||||
| **Control plane uptime & updates** | Your responsibility | Managed by Dokploy |
|
||||
| **Whitelabeling** | ✅ | ❌ (control plane is shared infrastructure) |
|
||||
| **Concurrent builds** | Unlimited, configured per server | Managed by the platform |
|
||||
| **Air-gapped / private networks** | ✅ | ❌ |
|
||||
| **Advanced monitoring dashboard** | Basic monitoring | ✅ |
|
||||
|
||||
@@ -145,6 +145,7 @@ If you choose Dokploy Cloud, there are several plans depending on your needs:
|
||||
| **RBAC** | Basic (Owner, Admin, Member) | Basic (Admin/Developer roles) | Fine-grained + custom roles | Fine-grained + custom roles |
|
||||
| **2FA** | ❌ | ✅ | ✅ | ✅ |
|
||||
| **SSO / SAML** | ❌ | ❌ | ✅ | ✅ |
|
||||
| **SCIM provisioning** | ❌ | ❌ | ✅ | ✅ |
|
||||
| **Audit logs** | ❌ | ❌ | ✅ | ✅ |
|
||||
| **White labeling** | ❌ | ❌ | ✅ | ✅ |
|
||||
| **Support** | Community (Discord) | Email & Chat | Priority with SLA | Partner team |
|
||||
@@ -157,5 +158,5 @@ Annual billing saves **20%** on all plans. See the [Pricing](https://dokploy.com
|
||||
|
||||
- **Hobby** — You're a solo developer deploying personal projects or small client sites on a single server.
|
||||
- **Startup** — You have a team, need multiple environments (production, staging, dev), and want unlimited backups and scheduled jobs.
|
||||
- **Enterprise** — You need SSO/SAML, audit logs, white labeling, custom roles with fine-grained permissions, and priority support with SLA.
|
||||
- **Enterprise** — You need SSO/SAML, SCIM provisioning, audit logs, white labeling, custom roles with fine-grained permissions, and priority support with SLA.
|
||||
- **Agency** — You manage infrastructure for multiple clients and need a tailored partnership.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Introduction
|
||||
description: Enterprise features for SSO, application authentication, custom roles, audit logs, whitelabeling, and unlimited concurrent builds
|
||||
description: Enterprise features for SSO, SCIM provisioning, application authentication, custom roles, audit logs, and whitelabeling
|
||||
---
|
||||
|
||||
|
||||
@@ -8,19 +8,19 @@ description: Enterprise features for SSO, application authentication, custom rol
|
||||
|
||||
Enterprise comes in two flavors:
|
||||
|
||||
- **Enterprise Self-Hosted** — activate a [license key](/docs/core/enterprise/license-keys) on your own instance. Includes whitelabeling and unlimited [concurrent builds](/docs/core/concurrent-builds), and works in air-gapped environments.
|
||||
- **Enterprise Self-Hosted** — activate a [license key](/docs/core/enterprise/license-keys) on your own instance. Includes whitelabeling and works in air-gapped environments.
|
||||
- **Enterprise Cloud** — a custom Dokploy Cloud plan with the control plane managed by us, automatic updates, and priority support with SLA.
|
||||
|
||||
Both include SSO, custom roles, audit logs, and Application Authentication. See the full [edition comparison](/docs/core/differences#editions-at-a-glance) for the differences.
|
||||
Both include SSO, SCIM provisioning, custom roles, audit logs, and Application Authentication. See the full [edition comparison](/docs/core/differences#editions-at-a-glance) for the differences.
|
||||
|
||||
## What's included
|
||||
|
||||
- **Single Sign-On (SSO)** — Integrate with Auth0, Keycloak, or other OIDC/SAML providers. [Read more →](/docs/core/enterprise/sso)
|
||||
- **SCIM Provisioning** — Automatically provision, update, and deactivate users from your identity provider (Okta, Microsoft Entra ID, JumpCloud, and any SCIM 2.0 compatible IdP). [Read more →](/docs/core/enterprise/scim)
|
||||
- **Application Authentication (Forward Auth)** — Put an SSO login gate in front of your deployed applications, powered by oauth2-proxy and Traefik. [Read more →](/docs/core/enterprise/sso/application-authentication)
|
||||
- **Custom Roles** — Create custom roles with granular permissions beyond the default Owner, Admin, and Member roles. [Read more →](/docs/core/enterprise/custom-roles)
|
||||
- **Audit Logs** — Track every action performed by members in your organization for security and compliance. [Read more →](/docs/core/enterprise/audit-logs)
|
||||
- **Whitelabeling** — Rebrand the UI with your logo, colors, and domain (self-hosted only). [Read more →](/docs/core/enterprise/whitelabeling)
|
||||
- **Unlimited Concurrent Builds** — Remove the OSS limit of 2 concurrent builds per server and set any concurrency you need (self-hosted only). [Read more →](/docs/core/concurrent-builds)
|
||||
- **All upcoming Enterprise features** — every new Enterprise feature we ship is automatically included in your license or plan, at no extra cost.
|
||||
|
||||
More Enterprise features are on the way. [Contact us](https://dokploy.com/contact) if you want early access or have specific requirements.
|
||||
@@ -31,4 +31,4 @@ For pricing and to enable Enterprise features on your instance, get in touch wit
|
||||
|
||||
**[Contact us →](https://dokploy.com/contact)**
|
||||
|
||||
We'll help you configure SSO, whitelabeling, custom roles, and audit logs for your organization.
|
||||
We'll help you configure SSO, SCIM, whitelabeling, custom roles, and audit logs for your organization.
|
||||
|
||||
97
apps/docs/content/docs/core/enterprise/scim.mdx
Normal file
97
apps/docs/content/docs/core/enterprise/scim.mdx
Normal file
@@ -0,0 +1,97 @@
|
||||
---
|
||||
title: SCIM Provisioning
|
||||
description: Automatically provision, update, and deactivate users from your identity provider with SCIM 2.0
|
||||
---
|
||||
|
||||
import { Callout } from "fumadocs-ui/components/callout";
|
||||
|
||||
Enterprise supports **SCIM 2.0** (System for Cross-domain Identity Management) user provisioning. Connect your identity provider — Okta, Microsoft Entra ID, JumpCloud, or any SCIM 2.0 compatible IdP — and Dokploy will automatically create, update, deactivate, and remove users in your organization as your directory changes. When someone joins the team they get access, and when they leave it is revoked automatically, with no manual cleanup.
|
||||
|
||||
<Callout type="info">
|
||||
SCIM provisioning is an Enterprise feature. It requires a valid [license key](/docs/core/enterprise/license-keys) on self-hosted instances, or an Enterprise Cloud plan.
|
||||
</Callout>
|
||||
|
||||
## How it works
|
||||
|
||||
- **SCIM complements [SSO](/docs/core/enterprise/sso)**: SSO handles *authentication* (how users log in), while SCIM handles the *user lifecycle* (which users exist and whether they are active). They are configured independently — you can use SCIM with or without SSO.
|
||||
- Each SCIM connection is identified by a **provider ID** you choose (e.g. `okta`) and authenticated with a **Bearer token** that Dokploy generates for you.
|
||||
- The token is scoped to the **organization** it was created in. Users provisioned by your IdP are added to that organization with the **Member** role.
|
||||
|
||||
## Configure Dokploy
|
||||
|
||||
1. Go to **Settings** → **SSO** and click **Manage SCIM**.
|
||||
2. Copy the **SCIM 2.0 endpoint URL**. It has the form:
|
||||
|
||||
```
|
||||
https://your-dokploy-domain.com/api/auth/scim/v2
|
||||
```
|
||||
|
||||
3. Under **Generate token for a new provider**, enter a unique **provider ID** for this IdP connection — lowercase letters, numbers, and dashes (e.g. `okta`, `entra`, `jumpcloud`) — and click **Generate**.
|
||||
4. Copy the generated **Bearer token**.
|
||||
|
||||
<Callout type="warn">
|
||||
The Bearer token is displayed **only once**, right after it is generated. Store it securely and paste it into your IdP's SCIM configuration. To rotate a token, delete the provider and generate a new one, then update your IdP with the new token.
|
||||
</Callout>
|
||||
|
||||
You can configure multiple SCIM providers (one per IdP connection), and delete a provider at any time from the same dialog. Deleting a provider does not remove already-provisioned users — it only stops the IdP from syncing.
|
||||
|
||||
## Configure your identity provider
|
||||
|
||||
In your IdP's SCIM (automatic provisioning) settings, you generally need two values:
|
||||
|
||||
- **Base URL / Tenant URL**: your SCIM endpoint URL (`https://your-dokploy-domain.com/api/auth/scim/v2`)
|
||||
- **Authentication**: OAuth Bearer Token — paste the token generated by Dokploy
|
||||
|
||||
### Okta
|
||||
|
||||
1. In the [Okta Admin Console](https://login.okta.com/), open your app integration and enable **SCIM provisioning** (or create an app from the **SCIM 2.0 Test App (OAuth Bearer Token)** template).
|
||||
2. In the **Provisioning** tab, set the **SCIM connector base URL** to your Dokploy SCIM endpoint URL.
|
||||
3. Set the **unique identifier field for users** to `userName` and choose **HTTP Header** authentication, pasting the Bearer token from Dokploy.
|
||||
4. Under **Provisioning to App**, enable **Create Users**, **Update User Attributes**, and **Deactivate Users**.
|
||||
5. Assign the users you want provisioned to the application.
|
||||
|
||||
### Microsoft Entra ID (Azure AD)
|
||||
|
||||
1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), go to **Enterprise applications** → your application → **Provisioning**.
|
||||
2. Set **Provisioning Mode** to **Automatic**.
|
||||
3. Set **Tenant URL** to your Dokploy SCIM endpoint URL and **Secret Token** to the Bearer token from Dokploy.
|
||||
4. Click **Test Connection**, save, and assign the users you want provisioned.
|
||||
|
||||
Any other SCIM 2.0 compliant IdP works the same way: point it at the endpoint URL and authenticate with the Bearer token.
|
||||
|
||||
## Supported operations
|
||||
|
||||
Dokploy implements the SCIM 2.0 **User** resource:
|
||||
|
||||
| Operation | Endpoint | Description |
|
||||
|---|---|---|
|
||||
| Provision | `POST /Users` | Create a user and add them to your organization |
|
||||
| List / filter | `GET /Users` | List provisioned users (supports `filter`) |
|
||||
| Read | `GET /Users/{id}` | Fetch a single user |
|
||||
| Replace | `PUT /Users/{id}` | Replace a user's attributes |
|
||||
| Update | `PATCH /Users/{id}` | Partial update, including activate/deactivate |
|
||||
| Deprovision | `DELETE /Users/{id}` | Remove the user from your organization |
|
||||
|
||||
The discovery endpoints (`/ServiceProviderConfig`, `/Schemas`, `/ResourceTypes`) are also available so IdPs can auto-detect capabilities.
|
||||
|
||||
<Callout type="info">
|
||||
The **Groups** resource is not supported. All provisioned users join the organization with the **Member** role — to grant broader access, change their role manually or assign a [custom role](/docs/core/enterprise/custom-roles) in Dokploy.
|
||||
</Callout>
|
||||
|
||||
## User lifecycle
|
||||
|
||||
| Action in your IdP | Effect in Dokploy |
|
||||
|---|---|
|
||||
| Assign / provision a user | User account is created and added to your organization as **Member** |
|
||||
| Update profile (name, email) | The user's attributes are updated |
|
||||
| Suspend / deactivate (`active: false`) | User is marked **Deactivated** and all their sessions are revoked |
|
||||
| Reactivate (`active: true`) | Access is restored |
|
||||
| Unassign / deprovision (`DELETE`) | User is removed from your organization |
|
||||
|
||||
You can see each member's **Status** (Active / Deactivated) in the users table under **Settings** → **Users**.
|
||||
|
||||
## Limitations
|
||||
|
||||
- **No group provisioning** — the Groups resource is not supported, so group-to-role mapping is not available. Roles are managed in Dokploy.
|
||||
- **Existing users are not linked** — SCIM only creates new users. If a user with the same email already exists in Dokploy, provisioning them returns a `409 Conflict`. Keep managing existing accounts manually, or remove them so the IdP can provision them fresh.
|
||||
- **Tokens are shown once** and cannot be rotated in place — delete the provider and generate a new one to rotate.
|
||||
@@ -24,3 +24,7 @@ For other OIDC/SAML providers, use the same endpoints and flow; [contact us](htt
|
||||
## Application Authentication
|
||||
|
||||
Once you have an OIDC provider configured, you can also use it to protect your **deployed applications** behind an SSO login gate, see [Application Authentication](/docs/core/enterprise/sso/application-authentication).
|
||||
|
||||
## SCIM Provisioning
|
||||
|
||||
SSO handles how users **log in**. To automatically create, update, and deactivate users from your identity provider as your directory changes, see [SCIM Provisioning](/docs/core/enterprise/scim).
|
||||
|
||||
@@ -60,6 +60,7 @@
|
||||
"enterprise/index",
|
||||
"enterprise/license-keys",
|
||||
"enterprise/sso",
|
||||
"enterprise/scim",
|
||||
"enterprise/whitelabeling",
|
||||
"enterprise/custom-roles",
|
||||
"enterprise/audit-logs",
|
||||
|
||||
Reference in New Issue
Block a user