Configuring SAML with Azure
This document will use Azure Entra ID as the SSO identity provider to demonstrate how to enable SAML authentication protocol for Dify Enterprise. By enabling this feature, the enterprise login page will use a unified identity authentication entry to enhance security. For enterprise internal users, there’s no need to enter complex passwords - they can log in using organizational accounts to pass verification, simplifying the login process.
1. Create a New Application in Azure
Access the Azure administrator backend page, navigate to the Applications page, and click New application.
Select Create your own application, enter an application name such as “dify”, then select Integrate any other application you don’t find in the gallery (Non-gallery), then click Create.
Next, you need to assign visible members to this application. Only authorized Azure members will be allowed to log in to Dify Enterprise. Select Users and groups on the left side of the application, then click Add user/group.
2. Configure the Application
Click the Single sign-on option under Manage on the left side of the application, then select the SAML option.
Edit the SAML configuration and fill in the Dify Enterprise ACS URL in the Entity ID and Reply URL fields.
Click Admin Backend → Identity Authentication → Member → SSO Identity Provider → New Identity Provider → New SAML Provider, and get the Callback URL at the bottom.
It usually follows this format:
Click Admin Backend → Identity Authentication → Member → SSO Identity Provider → New Identity Provider → New SAML Provider, and get the Callback URL at the bottom.
It usually follows this format:
Click Admin Backend → Identity Authentication → Member → SSO Identity Provider → New Identity Provider → New SAML Provider, and get the Callback URL at the bottom.
It usually follows this format:
Click Admin Backend → Identity Authentication → Web App → SSO Identity Provider → New Identity Provider → New SAML Provider, and get the Callback URL at the bottom.
It usually follows this format:
After obtaining the ACS URL, switch back to the Azure application page, download the Certificate in the SAML Certificates tab; also copy the Login URL from the setup page. Next, you need to fill these two parameters into the Dify Enterprise admin backend.
Advanced Configuration: Edit Attributes and Claims
- Click Unique User Identifier (Name ID) under Required claim.
- Change the source attribute to
user.mail.
3. Complete Dify Enterprise Backend Configuration
System administrator clicks on the Authentication page of Dify Enterprise, click ”+ New Identity Provider → New SAML Provider”,
- Fill in the Login URL from the Azure application in the IdP SSO URL field;
- Fill in the content from the downloaded Certificate file in the X509 Signing Certificate field;
4. Enable SSO Mandatory Authentication
After completing the SSO Provider configuration, click the switch button on the right side of “Workspaces SSO” or “WebApp SSO” to enable SSO authentication for your team. After enabling, members of your organization must complete identity verification before accessing resources in Dify Enterprise.