getting applications to work with CA bundles<\/a>.<\/p>\n\n\n\nFor a quick dev setup tho, I just used a custom entrypoint script that patches Python\u2019s SSL context and adds Authentik\u2019s hostname to \/etc\/hosts:<\/p>\n\n\n\n
#!\/bin\/sh\nset -e\n# Resolve auth.yourdomain.com to Traefik inside the container\nIP=$(python3 -c \"import socket; print(socket.gethostbyname('traefik_traefik'))\")\necho \"$IP auth.yourdomain.com\" >> \/etc\/hosts\n# Patch SSL for self-signed certs\nSITE_DIR=$(python3 -c \"import sysconfig; print(sysconfig.get_paths()['purelib'])\")\ncat > \"$SITE_DIR\/sitecustomize.py\" << 'PYEOF'\nimport ssl as _ssl\n_orig = _ssl.create_default_context\ndef _patched(*a, **kw):\n ctx = _orig(*a, **kw)\n ctx.check_hostname = False\n ctx.verify_mode = _ssl.CERT_NONE\n return ctx\n_ssl.create_default_context = _patched\nPYEOF\ncd \/app\/backend\nexec bash start.sh<\/pre>\n\n\n\nObviously don\u2019t do this in production 🙃<\/p>\n\n\n\n
Role is set on every login<\/h3>\n\n\n\n
With ENABLE_OAUTH_ROLE_MANAGEMENT<\/code> enabled, Open WebUI updates the user\u2019s role on every SSO login based on the claim. So if you change the scope mapping in Authentik or add\/remove someone from the LDAP group, it takes effect on the next login, no need to manually update roles in Open WebUI.<\/p>\n\n\n\nFull docker compose example<\/h2>\n\n\n\n
Docker Swarm stack with Traefik labels (using LDAP group-based admin):<\/p>\n\n\n\n
version: \"3.8\"\nservices:\n openwebui:\n image: ghcr.io\/open-webui\/open-webui:main\n environment:\n OPENAI_API_BASE_URL: \"http:\/\/litellm:4000\"\n OPENAI_API_KEY: \"your-litellm-key\"\n OLLAMA_BASE_URL: \"\"\n ENABLE_OAUTH_SIGNUP: \"true\"\n OAUTH_PROVIDER_NAME: \"Authentik\"\n OPENID_PROVIDER_URL: \"https:\/\/auth.yourdomain.com\/application\/o\/openwebui\/.well-known\/openid-configuration\"\n OAUTH_CLIENT_ID: \"openwebui\"\n OAUTH_CLIENT_SECRET: \"your-client-secret\"\n OAUTH_SCOPES: \"openid profile email groups\"\n WEBUI_URL: \"https:\/\/chat.yourdomain.com\"\n WEBUI_SECRET_KEY: \"change-me\"\n ENABLE_OAUTH_ROLE_MANAGEMENT: \"true\"\n # Option A: hardcoded admin for all SSO users\n #OAUTH_ROLES_CLAIM: \"roles\"\n #OAUTH_ADMIN_ROLES: \"admin\"\n # Option B: LDAP group-based admin\n OAUTH_ROLES_CLAIM: \"groups\"\n OAUTH_ADMIN_ROLES: \"chat_admin\"\n ENABLE_PERSISTENT_CONFIG: \"False\"\n RESET_CONFIG_ON_START: \"True\"\n ENABLE_LOGIN_FORM: \"False\"\n volumes:\n - openwebui_data:\/app\/backend\/data\n networks:\n - proxy\n deploy:\n labels:\n - \"traefik.enable=true\"\n - \"traefik.http.routers.openwebui.rule=Host(`chat.yourdomain.com`)\"\n - \"traefik.http.routers.openwebui.entrypoints=websecure\"\n - \"traefik.http.routers.openwebui.tls=true\"\n - \"traefik.http.services.openwebui.loadbalancer.server.port=8080\"\nvolumes:\n openwebui_data:\nnetworks:\n proxy:\n external: true<\/pre>\n\n\n\n
\n\n\n\nThis post was written with the help of Claude (Opus 4), Anthropic's AI assistant.<\/p>\n","protected":false},"excerpt":{"rendered":"
Notes on getting Open WebUI working with Authentik SSO on a Docker Swarm setup with Traefik. Took me a bit to get all the pieces right, the main gotchas are the JWT signing key (Authentik […]<\/p>\n","protected":false},"author":1,"featured_media":2110,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60,63,26,61],"tags":[],"class_list":["post-2099","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai","category-authentication","category-it","category-llm"],"_links":{"self":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2099","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/comments?post=2099"}],"version-history":[{"count":14,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2099\/revisions"}],"predecessor-version":[{"id":2130,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/2099\/revisions\/2130"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media\/2110"}],"wp:attachment":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media?parent=2099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/categories?post=2099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/tags?post=2099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Open](\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2026\/03\/blog-owui-login-1.png\")
<\/figure>\n\n\n\n![\"Authentik](\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2026\/03\/blog-authentik-login-1.png\")
<\/figure>\n\n\n\n![\"Authentik](\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2026\/03\/blog-authentik-password-1.png\")
<\/figure>\n\n\n\n![\"Open](\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2026\/03\/blog-owui-loggedin-1.png\")
<\/figure>\n\n\n\n![\"Open](\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2026\/03\/sso_groups_users_overview.png\")
<\/figure>\n\n\n\n![\"Login](\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2026\/03\/login_before.png\")
<\/figure>\n\n\n\n![\"Login](\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2026\/03\/login_after.png\")
<\/figure>\n\n\n\n