- Updated: March 24, 2026
- 3 min read
Integrating OpenClaw One‑Click Deploy with SSO Providers on UBOS
# Integrating OpenClaw One‑Click Deploy with a Single Sign‑On Provider
*Published by the UBOS Team*
In this guide we walk developers through adding **Auth0**, **Okta**, or **Azure AD** authentication to the OpenClaw one‑click‑deploy template and then hosting the resulting solution on UBOS.
—
## 1. Overview of the SSO Flow
1. **User clicks “Login”** on the OpenClaw UI.
2. The application redirects the user to the chosen IdP (Auth0, Okta, Azure AD).
3. The IdP authenticates the user and returns an **OAuth2/OpenID Connect** token.
4. OpenClaw validates the token, creates a session, and grants access to the dashboard.
The flow is completely standards‑based, so you can swap providers with minimal changes.
—
## 2. Required Configuration Changes
### a. Register the Application with the IdP
– **Auth0**: Create a *Regular Web Application*, note the **Client ID**, **Client Secret**, and set the **Allowed Callback URLs** to `https:///auth/callback`.
– **Okta**: Add a *Web* application, capture the **Client ID**, **Client Secret**, and configure the **Login redirect URIs** similarly.
– **Azure AD**: Register a *Web* app in Azure Portal, record the **Application (client) ID**, **Directory (tenant) ID**, and add a **Redirect URI**.
### b. Update OpenClaw Environment Variables
Add the following variables to the OpenClaw `.env` (or Docker compose) file:
dotenv
SSO_PROVIDER=auth0 # or okta, azuread
SSO_CLIENT_ID=
SSO_CLIENT_SECRET=
SSO_ISSUER_URL=https:///
SSO_CALLBACK_URL=https:///auth/callback
### c. Adjust the OpenClaw `config.yaml`
yaml
auth:
enabled: true
provider: ${SSO_PROVIDER}
clientId: ${SSO_CLIENT_ID}
clientSecret: ${SSO_CLIENT_SECRET}
issuerUrl: ${SSO_ISSUER_URL}
callbackUrl: ${SSO_CALLBACK_URL}
—
## 3. Deploying the Updated Template on UBOS
1. **Clone the OpenClaw one‑click‑deploy repository** (or use the UBOS marketplace entry).
2. **Commit the configuration changes** to your fork.
3. In the UBOS dashboard, click **”Deploy New App”**, select the OpenClaw template, and point it to your repository.
4. UBOS will build the Docker image, inject the environment variables, and expose the service on a sub‑domain (e.g., `openclaw.yourdomain.ubos.tech`).
5. Verify the SSO flow by visiting the URL and logging in with the chosen IdP.
—
## 4. Hosting the Final Solution on UBOS
UBOS handles SSL termination, automatic updates, and scaling. After deployment:
– Use the **UBOS CLI** to monitor logs: `ubos logs openclaw`.
– Set up **automatic backups** via the UBOS UI.
– Optionally enable **custom domain** mapping for a branded URL.
For a detailed walkthrough of hosting OpenClaw on UBOS, see our internal guide: [How to host OpenClaw on UBOS](/host-openclaw/).
—
## 5. Conclusion
By following these steps you can securely integrate any major SSO provider with OpenClaw and leverage UBOS for hassle‑free deployment, scaling, and maintenance. This not only improves security but also streamlines the developer experience.
—
*Feel free to reach out to the UBOS community if you encounter any issues.*