Semaphore Docs


OpenID provider configuration
Semaphore supports authentication via OpenID.
Multiple OIDC providers can be configured in config.json:
# ...
"oidc_providers": {
"mysso": { # The ID of the provider, is used as a URL path component in the redirect URL
"display_name": "Sign in with MySSO", # Text on the additional login button
"provider_url": "", # Root URL of the OIDC provider, expects /.well-known/openid-configuration below this URL
"client_id": "556e8e0a-bba8-49e8-af80-eae6db863b23",
"client_secret": "ad497288-34bf-4452-bff6-2c218992f906",
# "redirect_url": "${web_host}/api/auth/oidc/${provider}/redirect", # default value, the OIDC provider redirects back here
# "scopes": ["openid", "profile", "email"], # default value, OIDC scopes
# "username_claim": "preferred_username", # default value, id_token claim to use as the username
# "name_claim": "preferred_username", # default value, id_token claim to use as the display name
# "email_claim": "email" # default value, id_token claim to use as the email address
# If the OIDC provider does not offer a /.well-known/openid-configuration, the endpoints can be
# configured manually. In this case, the "provider_url" must be omitted.
# "endpoint": {
# "issuer": "",
# "auth": "",
# "token": "",
# "userinfo": "",
# "jwks": "",
# "algorithms": ["HS256", ...]
# }

Authelia config exmaple

I set this up, mostly the same way as the other apps in Authelia's docs. Here's the relevant sections of the config files for each: (generate the client_secret according to the Authelia docs, this also assumes that you have the rest of the oidc_providers section configured in Authelia already)

Authelia config.yaml:

- id: semaphore
description: Semaphore
secret: 'your_secret'
public: false
authorization_policy: two_factor
- openid
- profile
- email
userinfo_signing_algorithm: none

Semaphore config.json:

"oidc_providers": {
"authelia": {
"display_name": "Authelia",
"provider_url": "",
"client_id": "semaphore",
"client_secret": "your_secret",
"redirect_url": ""
For each of the configured providers, an additional login button is added to the login page:
Screenshot of the Semaphore login page, with two login buttons. One says "Sign In", the other says "Sign in with MySSO"