How to Configure Single Sign-On for Kubernetes Clusterspublic

Validated on 19 May 2026 • Last edited on 19 May 2026

DigitalOcean Kubernetes (DOKS) is a Kubernetes service with a fully managed control plane, high availability, and autoscaling. DOKS integrates with standard Kubernetes toolchains and DigitalOcean’s load balancers, volumes, CPU and GPU Droplets, API, and CLI.

Copy page as Markdown View page as Markdown

DigitalOcean Kubernetes (DOKS) supports single sign-on (SSO) using OpenID Connect (OIDC). This lets you connect your organization’s identity provider (IdP), like Okta or Auth0, to your Kubernetes clusters so users can sign in with their existing credentials instead of using token-based authentication.

SSO is configured per cluster. Each cluster has its own OIDC settings, independent of any team-level SSO you may have configured for the DigitalOcean Control Panel.

Note
This feature is in public preview. It is available without the need to opt in.

You can enable SSO on a new or existing cluster by passing the client ID and issuer URL of your OIDC application (sometimes called an integration or client).

The kubeconfig for an SSO-enabled cluster includes a command that opens your IdP in a browser for you to sign in. After a successful login, kubectl obtains an ID token with email and team_role claims that the kube-apiserver uses to perform authorization. The team_role claim contains the names of DigitalOcean roles that the user belongs to, such as Owner, Modifier, or Biller, as well as custom roles. The level of access inside a DOKS cluster is determined by the user’s role(s).

Configure Your Identity Provider

Complete the following steps in your IdP:

  1. Create groups associated with DigitalOcean roles and assign users to these groups.
  2. Create an application that supports the Proof Key for Code Exchange (PKCE) extension. If you already use SSO for Teams, you need a separate application for DOKS.
  3. Ensure the team_role claim is available on the ID tokens issued for your application.
  4. Locate the client ID and issuer URL to pass when creating or updating your cluster.

Configure Groups and Roles

For each DigitalOcean role you want to use with your DOKS cluster, create an Auth0 role. Set the name of the role to the DigitalOcean role name prefixed with DO: (for example, DO:Owner or DO:My Custom Role). This prefix ensures roles associated with DigitalOcean do not conflict with other roles in your IdP.

Assign users to the newly created roles.

For each DigitalOcean role you want to use with your DOKS cluster, create a group. Set the name of the group to the DigitalOcean role name prefixed with DO: (for example, DO:Owner or DO:My Custom Role). This prefix ensures groups associated with DigitalOcean do not conflict with other groups in your IdP.

Assign users to the newly created groups.

For each DigitalOcean role you want to use with your DOKS cluster, create a group with the same name as the role. Assign users to the newly created groups.

Create a new realm or select your existing realm for your organization.

Create a group for each DigitalOcean role you want to use with your DOKS cluster. The name of the group can be arbitrary. To map the group to a DigitalOcean role, open the Attributes tab for the group and add an attribute with the key team_role and a value that exactly matches the DigitalOcean role name (for example, Owner, Modifier, or My Custom Role).

For each DigitalOcean role you want to use with your DOKS cluster, create a group. Set the name of the group to the DigitalOcean role name prefixed with DO: (for example, DO:Owner or DO:My Custom Role). This prefix ensures groups associated with DigitalOcean do not conflict with other groups in your IdP.

Assign users to the newly created groups.

Configure an OIDC Application

Create an application of type Single Page Application. This application type does not require clients to present a client secret and uses PKCE to enhance security.

In the Settings tab, add http://localhost:8080/callback to Allowed Callback URLs. This allows the doctl DOKS authentication command to complete the authorization flow locally.

Create a new application and provider pair. Set the provider type to OAuth2/OpenID, choose the explicit authorization flow, and set the client type to Public. With this configuration, clients do not present a client secret and use PKCE to enhance security.

Add http://localhost:8080/callback to the allowed redirect URIs so the doctl DOKS authentication command can complete the authorization flow locally.

Create an application with the following settings:

  • Select Custom Application as the type.
  • Under features, choose Manage Single Sign-On (SSO) with Configure SSO with OIDC.

On the SSO tab for your new application:

  • Choose Public as the client authentication type. Clients do not present a client secret and use PKCE to enhance security.
  • Set the redirect URL to http://localhost:8080/callback so the doctl DOKS authentication command can complete the authorization flow locally.
  • Set the login URL to http://localhost:8080/login.

On the User Groups tab, assign the application to every group that should have access to DOKS clusters.

Create a new client in the same realm where you created groups. Use the following settings:

  • Client type: OpenID Connect
  • Client ID: any descriptive string

Keep Client authentication disabled so clients do not present a client secret and use PKCE to enhance security.

Keep Standard flow and Direct access grants enabled for the authentication flow.

Add http://localhost:8080/callback to the allowed redirect URIs so the doctl DOKS authentication command can complete the authorization flow locally.

Create an app integration with the following settings:

  • For the sign-in method, choose OIDC - OpenID Connect.
  • For the application type, choose Single-Page Application. This type does not require clients to present a client secret and uses PKCE to enhance security.
  • Set Sign-in redirect URIs to http://localhost:8080/callback so the doctl DOKS authentication command can complete the authorization flow locally.
  • Under Assignments, set Controlled access to Skip group assignment for now.

Open the Assignments tab for your DigitalOcean SSO app, choose Assign, then Assign to Groups, and assign the DO:-prefixed groups you created earlier.

Set Up the team_role Claim

Create a custom post-login action named DigitalOcean Role Mapping. You might already have this action if you set up SSO for DigitalOcean Control Panel, in which case you may skip this step.

When you create the action, select Login/Post Login as the trigger. Use the following code to map only Auth0 roles whose names start with DO: into the team_role custom claim, with the prefix removed, in the ID token response:

exports.onExecutePostLogin = async (event, api) => {
  const roles = event.authorization?.roles || [];
  api.idToken.setCustomClaim(
    'team_role',
    roles.filter((role) => role.startsWith('DO:')).map((role) => role.slice('DO:'.length))
  );
};

Attach the action to the login flow. Drag your action between Start and Complete, then save the flow.

Create a custom property mapping of type Scope Mapping. The name can be arbitrary. Set Scope name to team_role and use the following expression:

do_roles = [group.name[3:] for group in request.user.ak_groups.all() if group.name and group.name[:3] == "DO:"]
return {"team_role": do_roles}

This expression selects only the groups associated with DigitalOcean and returns them under the team_role custom claim.

Open the provider for your application and choose Edit. Under Advanced protocol settings, open the Scopes section and add the new custom mapping to Selected scopes. Do not remove the default selected scopes.

On the SSO tab in the application settings, open the Attribute Mapping section, select Include Group Attribute, and set team_role as the name. The groups in this claim are not limited to DigitalOcean roles and include all of the user’s groups.

Go to Client scopes and create a new scope named team_role. Turn Include in token scope on. After the scope is created, open the Mappers tab for this scope and add a mapper of type User attribute with these settings:

  • Name: team_role
  • User attribute: team_role
  • Token claim name: team_role

Turn the following options on:

  • Add to ID token
  • Multivalued
  • Aggregate attribute values

Then open the client you created for DOKS, go to the Client scopes tab, and add the scope you created as an optional client scope.

In the app you created in the previous step, open the Sign On tab. Add a token claims expression with name team_role and the following expression:

user.getGroups({'group.profile.name': 'DO:.*'}).![profile.name.replaceFirst('DO:', '')]

This expression removes the DO: substring from matching group names and returns the result as the team_role claim.

Locate Your IdP Settings

On the application overview page, find the Domain and Client ID for your app. Build the issuer URL by prefixing the domain with https:// and appending a trailing /, for example https://your_tenant.auth0.com/.

You can find the client ID and issuer URL on the overview page for your application’s provider.

Copy the client ID from the application page (SSO tab).

Find the issuer URL for your geographic zone in JumpCloud’s OIDC SSO documentation.

Open Realm settings and click OpenID Endpoint Configuration at the bottom of the page. The output contains your issuer URL.

You can find the client ID on the Settings tab of the client you created for DOKS.

You can find the client ID on the general overview page for your application.

The issuer URL is your Okta domain prefixed with https://, for example https://your_application.okta.com. Find your Okta domain by clicking your username in the upper-right corner of the Admin Console.

Enable SSO on a Cluster

After your IdP is configured, enable SSO on a DOKS cluster using doctl with the client ID and issuer URL from the previous step.

To create a new cluster with SSO enabled:

doctl kubernetes cluster create <your_cluster_name> \
  --node-pool "name=mypool;count=1" \
  --sso-enabled=true \
  --sso-issuer-url=<your_issuer_url> \
  --sso-client-id=<your_client_id>

To enable SSO on an existing cluster:

doctl kubernetes cluster update <your_cluster_id> \
  --sso-enabled=true \
  --sso-issuer-url=<your_issuer_url> \
  --sso-client-id=<your_client_id>

Connect to an SSO-Enabled Cluster

After enabling SSO, download a new kubeconfig for the cluster:

doctl kubernetes cluster kubeconfig show <your_cluster_id>

SSO-enabled clusters require doctl on every machine that accesses the cluster, including when you download kubeconfigs from the Control Panel. The kubeconfig uses doctl as an exec-based credential plugin. When you run a kubectl command, doctl opens a browser window for you to authenticate with your identity provider. After you authenticate, doctl caches the ID token locally. Subsequent kubectl commands use the cached token until it expires. Token expiry is configured in your IdP.

The kubeconfig for an SSO-enabled cluster includes an exec block like the following:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <your-ca>
    server: <your-cluster-url>
  name: do-tor1-auth0-sso
contexts:
- context:
    cluster: do-tor1-auth0-sso
    user: do-tor1-auth0-sso-admin
  name: do-tor1-auth0-sso
current-context: do-tor1-auth0-sso
kind: Config
users:
- name: do-tor1-auth0-sso-admin
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - kubernetes
      - cluster
      - kubeconfig
      - exec-credential
      - --version
      - v1beta1
      - --sso-client-id
      - <your-client-id>
      - --sso-issuer-url
      - <your-issuer-url>
      - <your-cluster-id>
      command: doctl
      interactiveMode: IfAvailable

To confirm you can access the cluster and view your assigned roles, run kubectl auth whoami:

kubectl auth whoami

The output shows your username and the Kubernetes groups assigned to you based on your role mapping:

ATTRIBUTE    VALUE
Username     [email protected]
ID           b4fa03bd-df61-4d36-a734-8f27f7fedd94
Groups       [do-role-name:custom-role do-role-name:Owner system:authenticated]

Role Mapping

  1. You assign users to groups (or roles) in your IdP’s DOKS application.
  2. The team_role claim returns the DigitalOcean role names for the user.
  3. DOKS translates each DigitalOcean role to a Kubernetes group prefixed with do-role-name:. For example, a user assigned the Owner DigitalOcean role gets the Kubernetes group do-role-name:Owner.

Predefined team roles like Owner and Member are automatically bound to Kubernetes ClusterRoles. Custom DigitalOcean roles use the same do-role-name: prefix but are not bound to any ClusterRole by default, so you must create your own RoleBindings or ClusterRoleBindings. For the full access table and binding examples, see Set RoleBindings for Custom Roles.

Token Lifetime and Revocation

When you deactivate a user in your IdP, their existing ID token continues to work until it expires. Access is revoked according to the token and session settings your IdP enforces. Adjust your IdP’s token time-to-live (TTL) to control how long access persists after revocation.

We can't find any results for your search.

Try using different keywords or simplifying your search terms.