This document will mention internal users and external users. The following distinctions are made: Internal members: Members registered within the Dify Enterprise workspace or added through the admin backend. External users: Members not within Dify Enterprise
1. Create a New Application in Okta
-
Access the Okta administrator backend page, navigate to the Applications page. Click the Create App Integration button, select OIDC login method and Web Application application type.
- Fill in the application name according to the page prompts and define the authorization scope according to requirements.
- The
Sign-in redirect URIsfield needs to be filled with the Dify Enterprise Callback URL. Please refer to the section below for how to obtain it. - Leave the
Sign-out redirect URIsfield empty.
2. Obtaining Callback URL
According to the required SSO scope to be enabled, Callback URLs differ. System administrators need to fill the Dify Enterprise Callback URL into the corresponding GitHub OAuth2 application to complete the creation process.- Workspace
- WebApp Members (For Internal Users)
- WebApp External Users (For External Users)
Click Admin Backend → Identity Authentication → Member → SSO Identity Provider → New Identity Provider → New OAuth2 Provider, and view the Workspace Callback URL at the bottom.It usually follows this format:
- Paste it into the Sign-in redirect URIs field in the Okta App and save the application.
3. Enable OAuth2 Authentication
3.1 Obtain Key Information from Okta Application
-
Go to the “General” page of the Okta application and copy the information from the following fields for subsequent configuration:
- Client ID
- Client secret
-
(Optional) Check Proof Key for Code Exchange (PKCE) → Require PKCE as additional verification then click Save. After checking this option, Okta will enforce verification of the
code_verifierwhen exchanging authorization codes for tokens, reducing the risk of authorization code interception attacks. -
Switch to the “Sign On” page and set the Issuer to a fixed link.
3.2 Configure OAuth2 Authentication
Access the Dify Enterprise Authentication page, click + New Identity Provider → New OAuth2 Provider, and fill in the following information according to the prompts:- Client ID
- Client Secrets
- If PKCE verification is enabled in the Okta application, you need to enable the PKCE Additional Verification switch in the window
- Authorization Endpoint:
https://your-okta-issuer-url/v1/authorize - Token Endpoint:
https://your-okta-issuer-url/v1/token - User Info Endpoint:
https://your-okta-issuer-url/v1/userinfo - Scopes:
openid,profile,email
How to obtain your-okta-issuer-url: Security → API → Authorization Servers → Issuer URI. For more information on how to obtain more field information through Okta App, please refer to Use of the Issuer.
4. Enable SSO Mandatory Authentication (Optional)
System administrators can enable SSO Enforcement options for the following two scenarios to enable mandatory authentication:- Workspace: Requires authorization when logging into Dify Enterprise Workspace.
- WebApp: Requires verification when using applications created by the current Dify Enterprise.
