Configuring Open WebUI for AI Interaction|Authenticating via Okta
Applies to SUSE AI 1.0

9 Authenticating via Okta

 

Okta is an identity management service that allows you to manage users and user access to applications. This topic describes how to use Okta as the identity manager for Open WebUI.

The process of enabling Okta as the identity manager for Open WebUI consists of several steps:

  1. Configuring Okta (Section 9.1, “Configuring Okta”)

  2. Gathering data for Open WebUI configuration (Section 9.2, “Gathering data for Open WebUI configuration”)

  3. Configuring Open WebUI for Okta integration (Section 9.3, “Configuring Open WebUI for Okta integration”)

Tip
Tip

This example procedure shows the minimal configuration required to use Okta with Open WebUI. Customize the configuration to your specific scenario and refer to the Okta documentation at https://help.okta.com/en-us/content/index.htm?cshid=csh-index for more information.

9.1 Configuring Okta

 
Important
Important

You must have administrator privileges to perform the following steps.

  1. Log in to Okta and access the Admin panel.

    Okta administrator panel
    Figure 9.1: Okta administrator panel
     

  2. Go to Applications › Create App Integration .

  3. In the Sign-in method section, select OIDC - OpenID Connect . In the Application type section, select Web Application . Click Next to proceed.

    Okta configuration window
    Figure 9.2: Okta configuration window
     

  4. In the General Settings section, set the App integration name to Open WebUI . In the Grant type section, toggle the Refresh token option. Optionally, specify an image for the application logo.

  5. Set Sign-in redirect URIs to the callback URI, for example, http://localhost:8080/oauth/oidc/callback. The URI follows this pattern:

    PROTOCOL://OPENWEBUI_DOMAIN:OPTIONAL_PORT_NUMBER/oauth/oidc/callback

  6. Similarly, set Sign-out redirect URIs to

    PROTOCOL://OPENWEBUI_DOMAIN:OPTIONAL_PORT_NUMBER

  7. In the Assignments section, toggle the Skip group assignment for now option. Save changes.

    Tip
    Tip: Open WebUI application settings

    After the integration is created, you can access the Open WebUI application settings by clicking the related hyperlink. It is required for final configurations and for retrieving the necessary information for the Open WebUI configuration further on.

    Open WebUI application access in Okta
    Figure 9.3: Open WebUI application access in Okta
     

  8. In the General Settings section, click Edit and in the Login section, set the Sign-in redirect URIs option to the URI in this format:

    PROTOCOL://OPENWEBUI_DOMAIN:OPTIONAL_PORT_NUMBER/oauth/oidc/callback

  9. In the Login initiated by section, select App Only . Confirm with Save .

9.2 Gathering data for Open WebUI configuration

 

  1. In the top-right menu, copy the Okta domain. In this example, it is my-domain.okta.com.

    Okta domain name
    Figure 9.4: Okta domain name
     

  2. Go to Applications › Open WebUI and retrieve the Client ID and Client Secret .

    Client ID and secret in Okta
    Figure 9.5: Client ID and secret in Okta
     
    Tip
    Tip

    The previously gathered values are used by Open WebUI via the following environment variables as described in Section 9.3, “Configuring Open WebUI for Okta integration”.

    OPENID_PROVIDER_URL="OKTA_DOMAIN/.well-known/openid-configuration"
OAUTH_CLIENT_ID="CLIENT_ID"
OAUTH_CLIENT_SECRET="CLIENT_SECRET"

9.3 Configuring Open WebUI for Okta integration

 

To configure Open WebUI to use Okta as an authentication provider, you must set up specific environment variables. For more information about OAuth 2.0 in Open WebUI and a complete description of each environment variable, refer to Open WebUI SSO documentation.

  1. Add the following environment variables to your Helm charts values.yaml file in the extraEnvVars section.

    ENABLE_OAUTH_SIGNUP=true 1
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true 2
OAUTH_CLIENT_ID=CLIENT_ID 3
OAUTH_CLIENT_SECRET=CLIENT_SECRET
OPENID_PROVIDER_URL=OKTA_DOMAIN/.well-known/openid-configuration
OAUTH_PROVIDER_NAME=Okta
OAUTH_SCOPES=openid email profile 4

    1

    Allow account creation when logging in with OAuth 2.0.

    2

    Allow logging into an account that matches the e-mail address provided by the OAuth 2.0 provider (Optional).

    3

    Variable set for the authentication provider gathered from Okta.

    4

    Specify scopes to request (optional, defaults to openid email profile ).

    The code block should look as follows:

    extraEnvVars:
  - name: ENABLE_OAUTH_SIGNUP
    value: "True"
  - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
    value: "True"
  - name: OAUTH_CLIENT_ID
    value: "CLIENT_ID"
  - name: OAUTH_CLIENT_SECRET
    value: "CLIENT_SECRET"
  - name: OPENID_PROVIDER_URL
    value: "OKTA_DOMAIN/.well-known/openid-configuration"
  - name: OAUTH_PROVIDER_NAME
    value: "Okta"
  - name: OAUTH_SCOPES
    value: "openid email profile"

  2. Restart Open WebUI to apply the changes.

  3. If the configuration went well, you should see the Continue with Okta button as an option on both sign-in and sign-up pages. After you click the button, you will be redirected to the Okta login page, or automatically signed in if you are already logged in to Okta.

    Open WebUI