This guide uses Okta as an example SSO identity provider, demonstrating how to enable OAuth2 authorization for Dify Enterprise Edition.

By enabling this feature, the login page in Enterprise Edition will utilize a unified authentication portal for enhanced security. For internal users, there’s no need to enter complex passwords—logging in through the organizational account simplifies authentication.

1. Create a New Application in Okta

  1. Go to the Okta Admin console and navigate to Applications. Click Create App Integration, then select OIDC as the sign-in method and Web Application as the application type.

  2. Follow the prompts to enter the application name and define authorization scopes as needed. In the Sign-in redirect URIs field, provide the Dify Enterprise Callback URL, as described below.

2. Obtain the Callback URL

Depending on the SSO scope you intend to enable, the Callback URL may vary. The system administrator needs to paste the Dify Enterprise Callback URL into the corresponding Okta application to finalize the setup.

In the Dify Enterprise Authentication page, under Workspace Settings, click + New Identity Provider → New OAuth2 Provider. At the bottom, check the Callback URL.

The format typically looks like:

https://[your-dify-enterprise-url]/console/api/enterprise/sso/oauth2/callback
  1. Paste this URL into the Sign-in redirect URIs field of your Okta OAuth2 app.

3. Enable OAuth2 Authentication

  1. In the General tab of the Okta application, copy the following fields to use in later configuration steps:

    • Client ID
    • Client Secret

  2. Switch to the Sign On tab and locate the Issuer field. Change the Issuer to a fixed link.

Go to Authentication in Dify Enterprise, click + New Identity Provider → New OAuth2 Provider, and fill in the information as prompted to complete the configuration:

  • Client ID
  • Client Secret

The basic information may vary among different OAuth2 providers; refer to their official documentation for specifics. The example below is for reference; adjust as needed:

  • Authorization Endpoint: https://your-okta-issuer-url/oauth2/v1/authorize
  • Token Endpoint: https://your-okta-issuer-url/login/oauth/access_token
  • User Info Endpoint: https://your-okta-issuer-url/oauth2/v1/userinfo
  • Scopes: openid, profile, email

The method to obtain your-okta-issuer-url: As mentioned above, set the Issuer URL in the Okta App to a fixed link and copy that information. If you need to gather more fields from the Okta App, refer to Use of the Issuer.

5. Enable SSO Enforcement (Optional)

The system administrator can enable SSO enforcement for two types of scenarios:

  • Workspace: Enforces authorization when logging into the Dify Enterprise Workspace.
  • WebApp: Enforces authorization when using applications created by this Dify Enterprise instance.

Once enabled, users will be prompted for access authorization upon visiting the respective scenario.