SSO Application Scope
Based on the user scope, Dify Enterprise’s SSO authentication system provides the following two different scope Single Sign-On (SSO) configuration options:Internal Users
Internal users refer to members who have registered in the Dify Enterprise workspace or have been added in the admin backend.Workspace
- Controls how users access the Dify Enterprise workspace.
- Once enabled, all users need to authenticate through your designated identity provider (IDP) before entering any workspace.
- Controls internal user access to Web Apps created on the Dify Enterprise platform.
- Once enabled, internal users need to authenticate through the identity provider (IdP) before accessing any Web applications created by the Dify Enterprise platform. This setting is a global option and cannot individually control the enabling/disabling of permissions for a single WebApp. To enable personnel permission grouping for individual Webapps, please refer to Application Access Permission Management.
The Callback URLs for Workspace and Webapp SSO are different, please note the distinction.
External Users
External users refer to members who have not joined the Dify Enterprise system.Web App
- After SSO authentication, external users can access Web applications created on the Dify Enterprise platform.
- Once enabled, users need to authenticate through the identity provider (IdP) before accessing any Web applications created by Dify Enterprise.
The Web App Callback URL for this permission scope is different from the Web App for internal users, please note the distinction.⚠️ Important Notes For security reasons, some identity providers (IDP) disable SSO authentication in iframe pages. This may affect situations where WebApps are embedded in other web pages. You need to check the identity provider’s (IDP) CSP: frame-ancestors configuration to ensure this feature works properly. For detailed instructions, please refer to this documentation. Here are the different security policies provided by various IDP vendors:
- Azure EntraID explicitly does not allow SSO login pages to be embedded in iframe pages due to security issues.
- Okta configures SSO login pages to allow embedding. For detailed instructions, please refer to Okta Official Documentation.
Configure SSO Authentication
Administrators can easily integrate Dify Enterprise with various identity providers, such as Okta, OneLogin, or Azure Active Directory (Azure AD). Dify Enterprise supports any identity provider that meets OIDC requirements or SAML standards. You can refer to the following SSO provider configuration guides:- Okta
-
Azure
- Configure SAML with Azure
- GitHub