Dify Enterprise supports enforcing Single Sign-On (SSO) for organization members. Once enabled, team members must log in to the Dify Enterprise platform through identity providers (such as Microsoft Entra ID, Okta, and GitHub authentication providers).

System administrators only need to select the corresponding protocol and configure parameters on the Authentication page to enable a more secure identity authentication system for Dify Enterprise, supporting OpenID Connect (OIDC), SAML, and OAuth2 protocols.

SSO Application Scope

Based on the user scope, Dify Enterprise’s SSO authentication system provides the following two different scope Single Sign-On (SSO) configuration options:

Internal Users

Internal users refer to members who have registered in the Dify Enterprise workspace or have been added in the admin backend.

Workspace

  • Controls how users access the Dify Enterprise workspace.
  • Once enabled, all users need to authenticate through your designated identity provider (IDP) before entering any workspace.

Web App

  • Controls internal user access to Web Apps created on the Dify Enterprise platform.
  • Once enabled, internal users need to authenticate through the identity provider (IdP) before accessing any Web applications created by the Dify Enterprise platform. This setting is a global option and cannot individually control the enabling/disabling of permissions for a single WebApp. To enable personnel permission grouping for individual Webapps, please refer to Application Access Permission Management.

The Callback URLs for Workspace and Webapp SSO are different, please note the distinction.

External Users

External users refer to members who have not joined the Dify Enterprise system.

Web App

  • After SSO authentication, external users can access Web applications created on the Dify Enterprise platform.

  • Once enabled, users need to authenticate through the identity provider (IdP) before accessing any Web applications created by Dify Enterprise.

The Web App Callback URL for this permission scope is different from the Web App for internal users, please note the distinction.

⚠️ Important Notes

For security reasons, some identity providers (IDP) disable SSO authentication in iframe pages. This may affect situations where WebApps are embedded in other web pages. You need to check the identity provider’s (IDP) CSP: frame-ancestors configuration to ensure this feature works properly. For detailed instructions, please refer to this documentation.

Here are the different security policies provided by various IDP vendors:

  • Azure EntraID explicitly does not allow SSO login pages to be embedded in iframe pages due to security issues.
  • Okta configures SSO login pages to allow embedding. For detailed instructions, please refer to Okta Official Documentation.

Configure SSO Authentication

Administrators can easily integrate Dify Enterprise with various identity providers, such as Okta, OneLogin, or Azure Active Directory (Azure AD). Dify Enterprise supports any identity provider that meets OIDC requirements or SAML standards.

You can refer to the following SSO provider configuration guides:

Set Session Timeout Limits

This option is used to set the session duration for organization members. After this time, the system will prompt members to re-authenticate with the identity provider to regain access to Dify Enterprise resources.

The default value is 7 days.

Enable SSO Authentication

Click the blue button in the SSO Enforcement section to enable SSO authentication. Administrators can choose to enable login authentication for Workspace or Web App.

Common Issues

For detailed instructions, please refer to FAQ.