Comment on page

SSO with Cover Reports

How to secure access to your Cover Reports server using SSO
NGINX can be used to secure access to your Cover Reports server using SSO. NGINX provide various setup guides for different SSO providers - see Set Up Single Sign-On for Proxied Applications on the NGINX docs site.


  • A server running Cover Reports.
  • A server running NGINX Plus (this can be the same server as Cover Reports) with a valid subscription.
  • An SSO provider.

Auth0 considerations

Note the following when setting up NGINX with Auth0. For details of the full process, see Single Sign-On With Auth0 on the NGINX docs site.
  • On your NGINX Auth0 Dashboard, set the callback URL to http://<YOUR-NGINX-SERVER-IP>:80/_codexch (replace <YOUR-NGINX-SERVER-IP> with the IP address of your NGINX instance).
  • On your NGINX server, update the upstream details for Cover Reports in the frontend.conf file (replace <YOUR-COVER-REPORTS-SERVER-IP> with the IP address of your Cover Reports instance):
upstream cover-reports {
zone cover-reports 64k;
  • Also in the frontend.conf file, make sure that the NGINX server is listening on port 80 and that your proxy_pass destination matches the upstream value configured above (cover-reports):
listen 80;
proxy_pass http://cover-reports;
  • Once SSO has been configured for Cover Reports, port 8080 will still be open, bypassing SSO. To prevent this you will need to close port 8080 which can be done as part of your network configuration. However, blocking port 8080 entirely will prevent reports bundles being uploaded using Cover Pipeline and Cover CLI. We recommend that you add the IP range of your CI runners and Cover CLI users to your network allow-list for port 8080.