This guide covers two common authentication options for Paperless-ngx:
OIDC is the preferred SSO option when you already run an identity provider like Authentik or Keycloak.
Create a new OIDC client in your IdP with:
https://paperless.example.com/accounts/oidc/callback/Set the following environment variables in your Paperless-ngx .env or container environment:
PAPERLESS_OIDC_ENABLED=true
PAPERLESS_OIDC_PROVIDER_NAME=SSO
PAPERLESS_OIDC_CLIENT_ID=your-client-id
PAPERLESS_OIDC_CLIENT_SECRET=your-client-secret
PAPERLESS_OIDC_AUTHORIZATION_ENDPOINT=https://idp.example.com/application/o/authorize/
PAPERLESS_OIDC_TOKEN_ENDPOINT=https://idp.example.com/application/o/token/
PAPERLESS_OIDC_USERINFO_ENDPOINT=https://idp.example.com/application/o/userinfo/
PAPERLESS_OIDC_JWKS_ENDPOINT=https://idp.example.com/application/o/jwks/
PAPERLESS_OIDC_SCOPES=openid email profile
PAPERLESS_OIDC_USERNAME_CLAIM=preferred_username
Apply the changes by restarting your containers or services:
docker compose restart
Use LDAP to authenticate users against your directory (e.g., OpenLDAP, FreeIPA).
Set the following environment variables:
PAPERLESS_LDAP_ENABLED=true
PAPERLESS_LDAP_SERVER_URI=ldap://ldap.example.com:389
PAPERLESS_LDAP_BIND_DN=cn=paperless,ou=svc,dc=example,dc=com
PAPERLESS_LDAP_BIND_PASSWORD=change-me
PAPERLESS_LDAP_USER_SEARCH_BASE=ou=users,dc=example,dc=com
PAPERLESS_LDAP_USER_SEARCH_FILTER=(uid=%(user)s)
PAPERLESS_LDAP_GROUP_SEARCH_BASE=ou=groups,dc=example,dc=com
PAPERLESS_LDAP_GROUP_SEARCH_FILTER=(member=%(user_dn)s)
Apply the changes by restarting your containers or services:
docker compose restart
ldaps://) for LDAP in production.Any questions?
Feel free to contact us. Find all contact information on our contact page.