In this guide, we will use Okta as the SSO provider, utilizing the SAML protocol to connect to the Dify Enterprise.

1. Create a new application in Okta

  1. Access the Okta admin dashboard
  2. Navigate to the Applications page
  3. Click the “Create App Integration” button

  1. Select “SAML 2.0” as the application type

  1. Click Next to access the Configure SAML page
  2. Wait before filling in the parameters and open a new browser tab

Follow the instructions below to obtain the necessary information, then continue filling in the details.

2. Configure the Okta application

  1. Copy the Dify Enterprise Version’s Callback URL:

    • Click on the Authentication page of the Dify Enterprise dashboard
    • Tap ”+ New Identity Provider → New OIDC Provider”
    • View the Callback URL

    It typically follows this format:

    https://[your-dify-enterprise-url]/console/api/enterprise/sso/saml/acs

  2. Configure Okta:

    Paste it into the Single sign-on URL and Audience URI (SP Entity ID) fields on the Configure SAML page.

    After filling in the URL, continue with the following settings:

    • Set the Name ID format to EmailAddress
    • Under “Show Advanced Settings”, verify that both the response and assertion signatures are set to Signed Click the “Next” button to complete the setup.

3. Complete the configuration on Dify

  1. Gather information from Okta:

    • Go to the “Sign On” page of your Okta application and find:
      • Sign-on URL
      • Signing certificate

  2. Assign members:

    • On the “Assignments” page, assign the members who are allowed to use SSO login

  3. Configure Dify:

    • Return to the Authentication page of the Dify Enterprise
    • Tap ”+ New Identity Provider → New SAML Provider”
    • Fill in the information obtained from Okta

    When filling in the X509 Signing Certificate, use the following format:

    -----BEGIN CERTIFICATE-----
{certificate}
-----END CERTIFICATE-----

4. Enable SSO Enforcement

After completing the SAML Provider configuration, tap the toggle button to the right of “Workspaces SSO” to enable SSO authentication for your team.

Once enabled, members of your organization must complete the SSO authentication before accessing resources in the Dify Enterprise