This guide will use Azure Entra ID as the SSO identity provider, connecting to the Dify Enterprise using the SAML protocol.

1. Create a new application in Azure

Access the Azure admin backend page, navigate to the Applications page, and click on New application.

Select Create your own application, enter an application name such as dify, then choose Integrate any other application you don’t find in the gallery (Non-gallery), and click Create.

Next, you need to assign visible members to this application. Only authorized Azure members will be allowed to log in to the Dify Enterprise. Select Users and groups on the left side of the application, then click Add user/group.

2. Configure the application

Click on the Single sign-on option under Manage on the left side of the application, then select the SAML.

Edit the SAML configuration, fill in the Dify Enterprise’s ACS URL in both the Entity ID and Reply URL fields.

System administrators need to go to the Authentication page of the Dify Enterprise, click ”+ New Identity Provider → New SAML Provider”, and then obtain the ACS URL.

It typically follows this format:

https://[your-dify-enterprise-url]/console/api/enterprise/sso/oidc/callback

After obtaining the ACS URL, switch back to the Azure application page, download the Certificate from the SAML Certificates tab; also copy the Login URL from the set up page. These two parameters need to be filled in the Dify Enterprise admin backend.

Advanced configuration: Edit attributes and claims

  1. Click on Unique User Identifier (Name ID) under Required claim

  1. Change the source attribute to user.mail

3. Complete the configuration on Dify

System administrators click on the Authentication page of the Dify Enterprise, click ”+ New Identity Provider → New SAML Provider”,

  • Fill in the Azure application’s Login URL in the IdP SSO URL field;

  • Fill in the content of the downloaded Certificate file in the X509 Signing Certificate field, use the following format:

    -----BEGIN CERTIFICATE-----
{certificate}
-----END CERTIFICATE-----

4. Enable SSO Enforcement

After completing the SAML Provider configuration, tap the toggle button to the right of “Workspaces SSO” to enable SSO authentication for your team.

Once enabled, members of your organization must complete the SSO authentication before accessing resources in the Dify Enterprise