A transparent reverse proxy that sits in front of Umami and handles OIDC authentication. Users hit the proxy, authenticate via your SSO provider, and get passed through to Umami. Zero Umami code chang
Your company uses Keycloak/Azure AD/Okta for single sign-on. Umami doesn't support OIDC natively. You're stuck with separate credentials or can't use Umami at all.
A transparent reverse proxy that sits in front of Umami and handles OIDC authentication. Users hit the proxy, authenticate via your SSO provider, and get passed through to Umami. Zero Umami code changes.
Deploy the OIDC proxy in front of your Umami instance
Configure your OIDC provider (Keycloak, Azure AD, Okta, etc.)
Users visit the proxy URL instead of Umami directly
Unauthenticated users get redirected to SSO login, then back to Umami
Here's what it looks like in action:
Works with Keycloak, Authentik, Azure AD, Okta, Auth0, or any OpenID Connect provider.
First-time SSO users are automatically created in Umami. No manual account setup.
The Umami tracking script and /api/send endpoint work without authentication. Your website analytics keep working.
Runs as a reverse proxy. Umami doesn't know it's there. Upgrade Umami independently.
Full source code, Dockerfile, docker-compose.yml, OIDC setup guide, email support
โ ๏ธ Requirements: Umami 2.x+ (self-hosted), OIDC provider with client credentials
No. The proxy is separate from Umami. Update Umami normally.
Still works. The proxy adds SSO on top. You can use either.
No. One-time purchase.
Questions? Email [email protected] ยท 14-day money-back guarantee