Enterprise members refer to who have registered in the Dify Enterprise workspace or been added by administrators through the admin console. Our authentication system ensures these users can only access Dify Enterprise resources after proper verification.

Authentication Scope Overview

Dify Enterprise offers tailored authentication methods based on user roles and access requirements:

Access TargetUser RoleAuthentication MethodSecurity Level
WorkspaceEnterprise Internal UsersEmail & Password, Email & Verification Code, SSOHigh
Web AppEnterprise Internal Users, Specific Group UsersEmail & Password, Email & Verification Code, SSOMedium

Authentication Method

System administrators can navigate to Admin ConsoleIdentity AuthenticationMember to centrally configure authentication methods for internal users accessing workspaces and Web Apps.

Email and Password Authentication

Applicable Scope:

  • Workspace
  • Web App

Features:

  • Classic username and password authentication
  • Configurable password security policies
  • Suitable for all user types

Configuration Steps:

  1. Identity AuthenticationMemberEmail and Password
  2. Enable the toggle
  3. Configure password policy (optional):
    • Minimum length requirement
    • Complexity requirements (uppercase, lowercase, numbers, special characters)
    • Password expiration time

Enable email and password authentication in enterprise admin console

Password Security Recommendations:

  • Enforce minimum password length of 8 characters
  • Include uppercase and lowercase letters, numbers, and special characters
  • Regularly remind users to update passwords
  • Prohibit common weak passwords

Email and Verification Code Authentication

Applicable Scope:

  • Workspace
  • Web App

Features:

  • Passwordless login method
  • Single-use email verification codes
  • Enhances user experience by eliminating password management

Configuration Steps:

  1. Verify that your email service is properly configured
  2. Enable “Email and Verification Code” on Identity AuthenticationMember page
  3. Configure verification code parameters:
    • Verification code validity period (recommended 5-10 minutes)
    • Sending frequency limits
    • Verification code length and type

Enable email verification code authentication in enterprise admin console

Prerequisites:

  • SMTP email service configured
  • Email service stable and available
  • Valid user email addresses

Single Sign-On (SSO)

Applicable Scope:

  • Workspace
  • Web App

Features:

  • Integration with existing enterprise identity systems
  • Supports OIDC, SAML, OAuth2 protocols
  • Unified enterprise identity management
  • Supports automatic user synchronization

Configuration Steps:

  1. Enable “Single Sign-On (SSO)” on Identity AuthenticationMember page
  2. Configure identity provider information
  3. Set user attribute mapping
  4. Test SSO connection

Enable SSO authentication in enterprise admin console

When setting up SSO, ensure you configure the correct callback URL in your identity provider. Note that Workspace and Web App require different callback URLs - please configure them accordingly.

For detailed SSO configuration instructions, please refer to Enterprise SSO Configuration Guide.

Access Permission Management

Workspace

System administrators can enable email and password authentication, email and verification code authentication, and Single Sign-On (SSO) authentication methods in System SettingsIdentity AuthenticationMember.

When users access the Dify Enterprise workspace, they’ll see authentication prompts based on your configuration settings and gain access upon successful verification.

User Registration Strategies:

Here are the most common user registration strategies:

Configuration:

  • Enable “Allow users to register accounts themselves”
  • Enable “Allow system to automatically create personal spaces”

Features:

  • Users can self-register and start using the platform immediately
  • Personal workspaces are automatically created
  • Suitable for open enterprise environments

Web App

When Web App access is set to All Platform Members or Specific Platform Groups, the authentication methods configured in “Enterprise User Authentication” (email/password, email verification codes, or SSO) will be automatically applied. Users not on the Dify Enterprise member list will receive an access denied message.

Security Best Practices

Authentication Strategy Recommendations

Enable Multiple Authentication Methods

  • Use SSO as your primary method for centralized identity management
  • Maintain email/password authentication as a fallback option
  • Reserve email verification codes for emergency situations

Session Management

Session Security Configuration:

  • Session Timeout: Recommended 7-30 days, adjust based on security requirements
  • Concurrent Login Limits: Restrict simultaneous logins per user account
  • IP Address Binding: Implement IP whitelisting for enhanced security environments

Password Policy

Strong Password Requirements:

  • Minimum 8 characters, recommended 12+ characters
  • Include uppercase and lowercase letters, numbers, and special characters
  • Block commonly used weak passwords and dictionary attacks
  • Enforce periodic password changes (every 90-180 days)

Troubleshooting

Common Issues

With proper enterprise user authentication configuration, you can deliver a seamless AI application experience while maintaining security. We recommend selecting authentication strategies that align with your organization’s security requirements and user base size.