Casdoor for Self-Hosted SSO and IAM

Identity sprawl gets ugly fast. One app wants OIDC, another still depends on LDAP, a third needs SAML, and your internal tooling team wants passkeys without bolting together five separate auth services. Casdoor is interesting because it brings those moving parts into one open-source IAM platform that operators can actually self-host.

What is Casdoor?

Casdoor is a UI-first IAM and SSO platform built with a React frontend and a Go backend. It supports OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, RADIUS, Active Directory, and Google Workspace integration. Under the hood it also ties into Casbin for authorization models such as ACL, RBAC, and ABAC.

For SRE and platform teams, that combination matters. You can centralize application login, user lifecycle management, policy enforcement, and audit visibility without locking yourself into a hosted identity provider.

Key Features

• Broad protocol coverage so one platform can serve modern apps and older enterprise integrations.
• Self-hosted web console for user, organization, app, and provider management.
• Passkeys and MFA support through WebAuthn, TOTP, and other verification flows.
• Flexible authorization with Casbin-backed ACL, RBAC, and ABAC models.
• Multiple deployment paths including source installs, Docker, and Helm on Kubernetes.

Installation

A fast trial run uses the all-in-one container:

docker run -p 8000:8000 casbin/casdoor-all-in-one

If you already have a Kubernetes cluster, the Helm chart is even more relevant for platform teams:

helm install casdoor oci://registry-1.docker.io/casbin/casdoor-helm-charts

After startup, open http://localhost:8000 or your ingress URL, then change the default admin credentials immediately on any real deployment.

Usage

Casdoor acts as the authorization server for your applications. A typical app integration starts by configuring a client in Casdoor, then redirecting users to Casdoor's OAuth 2.0 or OIDC authorization endpoint. After login, the app exchanges the returned code for an access token and uses that token to access user data or protected APIs.

That workflow makes Casdoor useful for internal portals, developer tools, customer-facing dashboards, and shared platform services that need consistent identity handling across teams.

Operational Tips

• Put Casdoor behind your standard ingress, TLS, and secret-management stack from day one.
• Use PostgreSQL or MySQL for durable production state rather than treating the demo path as a long-term setup.
• Test one OIDC client and one legacy integration early so protocol edge cases show up before rollout.
• Review audit logging and provider configuration during staging, especially if you sync users from existing directories.

Conclusion

Casdoor earns attention because it covers the messy middle of real-world identity operations. It is not just a login screen. It is a practical control plane for teams that need self-hosted SSO, federation, strong auth options, and policy flexibility in one place.

For efficient incident management and to prevent on-call burnout, consider using Akmatori. Akmatori automates incident response, reduces downtime, and simplifies troubleshooting.

Additionally, for reliable virtual machines and bare metal servers worldwide, check out Gcore.