This guide uses Okta as an example SSO identity provider, demonstrating how to enable OIDC authentication for Dify Enterprise Edition.

By enabling this feature, the login page in Enterprise Edition will utilize a unified authentication portal to enhance security. For internal enterprise users, there’s no need to set up complex passwords—logging in with an organizational account streamlines the process.

1. Create a New Application in Okta

  1. Go to the Okta Admin console, navigate to Applications, and click Create App Integration.

  2. Follow the prompts to name your application and define authorization scopes as needed.

    • The Sign-in redirect URIs field must be set to the Dify Enterprise Callback URL (see below).
    • Leave the Sign-out redirect URIs field blank.

2. Configure the Okta Application

Depending on the SSO scope you want to enable, the Callback URL may vary. The system administrator must add the Dify Enterprise Callback URL to the corresponding Okta App in order to complete the setup.

On the Dify Enterprise Authentication page, in the Workspace Settings section, click + New Identity Provider → New OAuth2 Provider. At the bottom of the page, locate the Callback URL.

It typically follows this format:

https://[your-dify-enterprise-url]/console/api/enterprise/sso/oauth2/callback
  1. Paste this URL into the Sign-in redirect URIs field of your Okta app.

3. Enable OIDC Authentication

3.1 Retrieve Key Information from the Okta Application

  1. In the application’s General tab, locate the following fields:

    • Client ID
    • Client secret

  2. Switch to the Sign On tab and find the Issuer field. Set Issuer to a fixed link, then copy the information.

3.2 Configure OAuth2 Authentication

On the Dify Enterprise Authentication page, click + New Identity Provider → New OAuth2 Provider, and follow the prompts to fill out the following information:

  • Issuer URL
  • Client ID
  • Client Secret

4. Enable SSO Enforcement (Optional)

The system administrator can enable SSO Enforcement for the following scenarios, making authentication mandatory:

  • Workspace: Requires authorization to log in to the Dify Enterprise Workspace.
  • WebApp: Requires authorization for applications created by this Dify Enterprise instance.

When enabled, users will be prompted for authorization upon accessing these scenarios.