1. Create a New Application in Okta
-
Go to the Okta Admin console and navigate to Applications. Click Create App Integration, then select OIDC as the sign-in method and Web Application as the application type.
-
Follow the prompts to enter the application name and define authorization scopes as needed. In the
Sign-in redirect URIsfield, provide the Dify Enterprise Callback URL, as described below.
2. Obtain the Callback URL
Depending on the SSO scope you intend to enable, the Callback URL may vary. The system administrator needs to paste the Dify Enterprise Callback URL into the corresponding Okta application to finalize the setup.- Workspace
- WebApp
In the Dify Enterprise Authentication page, under Workspace Settings, click + New Identity Provider → New OAuth2 Provider. At the bottom, check the Callback URL.
The format typically looks like:
The format typically looks like:- Paste this URL into the Sign-in redirect URIs field of your Okta OAuth2 app.
3. Enable OAuth2 Authentication
-
In the General tab of the Okta application, copy the following fields to use in later configuration steps:
- Client ID
- Client Secret
-
Switch to the Sign On tab and locate the Issuer field. Change the Issuer to a fixed link.
- Client ID
- Client Secret
- Authorization Endpoint:
https://your-okta-issuer-url/oauth2/v1/authorize - Token Endpoint:
https://your-okta-issuer-url/login/oauth/access_token - User Info Endpoint:
https://your-okta-issuer-url/oauth2/v1/userinfo - Scopes:
openid, profile, email
The method to obtain your-okta-issuer-url: As mentioned above, set the Issuer URL in the Okta App to a fixed link and copy that information. If you need to gather more fields from the Okta App, refer to Use of the Issuer.
5. Enable SSO Enforcement (Optional)
The system administrator can enable SSO enforcement for two types of scenarios:- Workspace: Enforces authorization when logging into the Dify Enterprise Workspace.
- WebApp: Enforces authorization when using applications created by this Dify Enterprise instance.

