> ## Documentation Index
> Fetch the complete documentation index at: https://enterprise-docs.dify.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Enterprise Members Authentication

Enterprise members refer to who have registered in the Dify Enterprise workspace or been added by administrators through the admin console. Our authentication system ensures these users can only access Dify Enterprise resources after proper verification.

## Authentication Scope Overview

Dify Enterprise offers tailored authentication methods based on user roles and access requirements:

| Access Target | User Role                                       | Authentication Method                            | Security Level |
| ------------- | ----------------------------------------------- | ------------------------------------------------ | -------------- |
| **Workspace** | Enterprise Internal Users                       | Email & Password, Email & Verification Code, SSO | High           |
| **Web App**   | Enterprise Internal Users, Specific Group Users | Email & Password, Email & Verification Code, SSO | Medium         |

## Authentication Method

System administrators can navigate to **Admin Console** → **Identity Authentication** → **Member** to centrally configure authentication methods for internal users accessing workspaces and Web Apps.

![](https://assets-docs.dify.ai/2025/06/6b8cf5d9a048fc463c59bc8b41665d2a.png)

### Email and Password Authentication

**Applicable Scope:**

* Workspace
* Web App

**Features:**

* Classic username and password authentication
* Configurable password security policies
* Suitable for all user types

**Configuration Steps:**

1. **Identity Authentication** → **Member** → **Email and Password**
2. Enable the toggle

<Tabs>
  <Tab title="Admin Console Configuration">
    <Frame caption="Enable email and password authentication in enterprise admin console">
      <img src="https://assets-docs.dify.ai/2025/06/6ebe7dbbdc394d94b3f45dbc4b615a1d.png" alt="Email and password authentication configuration interface" />
    </Frame>
  </Tab>

  <Tab title="User Login Interface">
    <Frame caption="User login page display">
      <img src="https://assets-docs.dify.ai/2025/04/14e603662ca00daf80762f57a228e57c.png" alt="User login interface" />
    </Frame>
  </Tab>
</Tabs>

**Password Security Recommendations:**

* Enforce minimum password length of 8 characters
* Include uppercase and lowercase letters, numbers, and special characters
* Regularly remind users to update passwords
* Prohibit common weak passwords

### Email and Verification Code Authentication

**Applicable Scope:**

* Workspace
* Web App

**Features:**

* Passwordless login method
* Single-use email verification codes
* Enhances user experience by eliminating password management

**Configuration Steps:**

1. Verify that your email service is properly configured
2. Enable "Email and Verification Code" on **Identity Authentication** → **Member** page
3. Configure verification code parameters:
   * Verification code validity period (recommended 5-10 minutes)
   * Sending frequency limits
   * Verification code length and type

<Tabs>
  <Tab title="Admin Console Configuration">
    <Frame caption="Enable email verification code authentication in enterprise admin console">
      <img src="https://assets-docs.dify.ai/2025/06/7729d5b4e299f11f089c0d73045308e1.png" alt="Email verification code authentication configuration interface" />
    </Frame>
  </Tab>

  <Tab title="User Login Interface">
    <Frame caption="Verification code login page">
      <img src="https://assets-docs.dify.ai/2025/04/2572a20174e7b9fa85817dca02bba937.png" alt="Verification code login interface" />
    </Frame>
  </Tab>
</Tabs>

**Prerequisites:**

* SMTP email service configured
* Email service stable and available
* Valid user email addresses

### Single Sign-On (SSO)

**Applicable Scope:**

* Workspace
* Web App

**Features:**

* Integration with existing enterprise identity systems
* Supports OIDC, SAML, OAuth2 protocols
* Unified enterprise identity management
* Supports automatic user synchronization

**Configuration Steps:**

1. Enable "Single Sign-On (SSO)" on **Identity Authentication** → **Member** page
2. Configure identity provider information
3. Set user attribute mapping
4. Test SSO connection

<Tabs>
  <Tab title="Admin Console Configuration">
    <Frame caption="Enable SSO authentication in enterprise admin console">
      <img src="https://assets-docs.dify.ai/2025/06/b8e0836b5179a4127d611926f9a1a34d.png" alt="SSO authentication configuration interface" />
    </Frame>
  </Tab>

  <Tab title="User Login Interface">
    <Frame caption="SSO login page">
      <img src="https://assets-docs.dify.ai/2025/04/32db3fc352c7ba40eb4343fd5f6229e5.png" alt="SSO login interface" />
    </Frame>
  </Tab>
</Tabs>

<Warning>
  When setting up SSO, ensure you configure the correct callback URL in your identity provider. **Note that Workspace and Web App require different callback URLs** - please configure them accordingly.
</Warning>

For detailed SSO configuration instructions, please refer to [Enterprise SSO Configuration Guide](/en/3.10.x/administer/sso/introduction).

## Access Permission Management

### Workspace

System administrators can enable email and password authentication, email and verification code authentication, and Single Sign-On (SSO) authentication methods in **System Settings** → **Identity Authentication** → **Member**.

![](https://assets-docs.dify.ai/2025/06/6b8cf5d9a048fc463c59bc8b41665d2a.png)

When users access the Dify Enterprise workspace, they'll see authentication prompts based on your configuration settings and gain access upon successful verification.

**User Registration Strategies:**

Here are the most common user registration strategies:

<Tabs>
  <Tab title="Open Registration Mode">
    **Configuration:**

    * Enable "Allow users to register accounts themselves"
    * Enable "Allow system to automatically create personal spaces"

    **Features:**

    * Users can self-register and start using the platform immediately
    * Personal workspaces are automatically created
    * Suitable for open enterprise environments
  </Tab>

  <Tab title="Invitation Registration Mode">
    **Configuration:**

    * Disable "Allow users to register accounts themselves"
    * Enable "Allow system to automatically create personal spaces"

    **Features:**

    * Registration is limited to administrator-invited users
    * Personal space automatically created after registration
    * Suitable for controlled enterprise environments
  </Tab>

  <Tab title="Fully Controlled Mode">
    **Configuration:**

    * Disable "Allow users to register accounts themselves"
    * Disable "Allow system to automatically create personal spaces"

    **Features:**

    * All user operations require manual administrator approval
    * Highest security level
    * Suitable for highly sensitive enterprise environments
  </Tab>
</Tabs>

### Web App

When Web App access is set to **All Platform Members** or **Specific Platform Groups**, the authentication methods configured in "Enterprise User Authentication" (email/password, email verification codes, or SSO) will be automatically applied. Users not on the Dify Enterprise member list will receive an access denied message.

## Security Best Practices

### Authentication Strategy Recommendations

**Enable Multiple Authentication Methods**

* Use SSO as your primary method for centralized identity management
* Maintain email/password authentication as a fallback option
* Reserve email verification codes for emergency situations

### Session Management

**Session Security Configuration:**

* **Session Timeout**: Recommended 7-30 days, adjust based on security requirements
* **Concurrent Login Limits**: Restrict simultaneous logins per user account
* **IP Address Binding**: Implement IP whitelisting for enhanced security environments

### Password Policy

**Strong Password Requirements:**

* Minimum 8 characters, recommended 12+ characters
* Include uppercase and lowercase letters, numbers, and special characters
* Block commonly used weak passwords and dictionary attacks
* Enforce periodic password changes (every 90-180 days)

## Troubleshooting

### Common Issues

<Accordion title="When accessing Web App, prompted with no access permission">
  **Possible Causes:**

  * SSO configuration not enabled
  * Identity provider configuration error
  * Network connection issues

  **Solutions:**
  Contact your system administrator to verify SSO configuration at **System Settings** → **Identity Authentication** → **Web App External User Verification**.
</Accordion>

<Accordion title="User cannot log in, prompted with 'Authentication method not configured'">
  **Root Cause Analysis:**
  No authentication methods are currently enabled, or all methods have been disabled by the administrator.

  **Solutions:**

  1. Check **Identity Authentication** → **Member** configuration
  2. Enable at least one authentication method
  3. Confirm email service configuration is normal (if using email verification code)
  4. Test SSO connection status (if using SSO)
</Accordion>

<Accordion title="Email verification code cannot be sent or received">
  **Possible Causes:**

  * SMTP email service configuration error
  * Email server connection issues
  * Invalid user email address
  * Email filtered by spam

  **Solutions:**

  1. Verify SMTP server settings and connectivity
  2. Confirm email server authentication credentials
  3. Validate user email addresses
  4. Advise users to check their spam/junk folders
  5. Verify service status with your email provider
</Accordion>

<Accordion title="SSO login failure or cannot redirect">
  **Possible Causes:**

  * Identity provider configuration error
  * Incorrect callback address settings
  * User lacks permissions in identity provider
  * Network connection issues

  **Solutions:**

  1. Check identity provider configuration information
  2. Confirm the callback URL is correctly configured
  3. Verify user account status and permissions in your identity provider
  4. Check network connectivity to your identity provider
  5. Review system logs for detailed error messages
</Accordion>

With proper enterprise user authentication configuration, you can deliver a seamless AI application experience while maintaining security. We recommend selecting authentication strategies that align with your organization's security requirements and user base size.
