SSO Application Scope
Dify Enterprise’s SSO authentication system provides two different scope options for Single Sign-On (SSO) configuration:Workspace SSO
- Controls how users access the Dify Enterprise platform itself.
- When enabled, all users must authenticate through your specified Identity Provider (IDP) before entering any workspace.
Web App SSO
- Controls user access permissions to Web applications created within the Dify Enterprise platform.
- When enabled, users must authenticate through the Identity Provider (IDP) before accessing any Web applications created by the Dify Enterprise platform. Access is granted only after authentication. This is a global setting and currently cannot control access permissions for specific WebApps individually. For enabling access control for individual WebApps, please refer to the FAQ.
- Azure EntraID explicitly disallows SSO login pages from being embedded in iframe pages due to security concerns.
- Okta allows SSO login pages to be embedded with configuration. For detailed information, please refer to the Okta Official Documentation.